istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/pilot/testdata/gateway-api-crd.yaml (about) 1 # Generated with `kubectl kustomize "https://github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0"` 2 apiVersion: apiextensions.k8s.io/v1 3 kind: CustomResourceDefinition 4 metadata: 5 annotations: 6 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 7 gateway.networking.k8s.io/bundle-version: v1.1.0 8 gateway.networking.k8s.io/channel: experimental 9 creationTimestamp: null 10 labels: 11 gateway.networking.k8s.io/policy: Direct 12 name: backendtlspolicies.gateway.networking.k8s.io 13 spec: 14 group: gateway.networking.k8s.io 15 names: 16 categories: 17 - gateway-api 18 kind: BackendTLSPolicy 19 listKind: BackendTLSPolicyList 20 plural: backendtlspolicies 21 shortNames: 22 - btlspolicy 23 singular: backendtlspolicy 24 scope: Namespaced 25 versions: 26 - additionalPrinterColumns: 27 - jsonPath: .metadata.creationTimestamp 28 name: Age 29 type: date 30 name: v1alpha3 31 schema: 32 openAPIV3Schema: 33 description: |- 34 BackendTLSPolicy provides a way to configure how a Gateway 35 connects to a Backend via TLS. 36 properties: 37 apiVersion: 38 description: |- 39 APIVersion defines the versioned schema of this representation of an object. 40 Servers should convert recognized schemas to the latest internal value, and 41 may reject unrecognized values. 42 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 43 type: string 44 kind: 45 description: |- 46 Kind is a string value representing the REST resource this object represents. 47 Servers may infer this from the endpoint the client submits requests to. 48 Cannot be updated. 49 In CamelCase. 50 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 51 type: string 52 metadata: 53 type: object 54 spec: 55 description: Spec defines the desired state of BackendTLSPolicy. 56 properties: 57 targetRefs: 58 description: |- 59 TargetRefs identifies an API object to apply the policy to. 60 Only Services have Extended support. Implementations MAY support 61 additional objects, with Implementation Specific support. 62 Note that this config applies to the entire referenced resource 63 by default, but this default may change in the future to provide 64 a more granular application of the policy. 65 66 67 Support: Extended for Kubernetes Service 68 69 70 Support: Implementation-specific for any other resource 71 items: 72 description: |- 73 LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a 74 direct policy to. This should be used as part of Policy resources that can 75 target single resources. For more information on how this policy attachment 76 mode works, and a sample Policy resource, refer to the policy attachment 77 documentation for Gateway API. 78 79 80 Note: This should only be used for direct policy attachment when references 81 to SectionName are actually needed. In all other cases, 82 LocalPolicyTargetReference should be used. 83 properties: 84 group: 85 description: Group is the group of the target resource. 86 maxLength: 253 87 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 88 type: string 89 kind: 90 description: Kind is kind of the target resource. 91 maxLength: 63 92 minLength: 1 93 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 94 type: string 95 name: 96 description: Name is the name of the target resource. 97 maxLength: 253 98 minLength: 1 99 type: string 100 sectionName: 101 description: |- 102 SectionName is the name of a section within the target resource. When 103 unspecified, this targetRef targets the entire resource. In the following 104 resources, SectionName is interpreted as the following: 105 106 107 * Gateway: Listener name 108 * HTTPRoute: HTTPRouteRule name 109 * Service: Port name 110 111 112 If a SectionName is specified, but does not exist on the targeted object, 113 the Policy must fail to attach, and the policy implementation should record 114 a `ResolvedRefs` or similar Condition in the Policy's status. 115 maxLength: 253 116 minLength: 1 117 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 118 type: string 119 required: 120 - group 121 - kind 122 - name 123 type: object 124 maxItems: 16 125 minItems: 1 126 type: array 127 validation: 128 description: Validation contains backend TLS validation configuration. 129 properties: 130 caCertificateRefs: 131 description: |- 132 CACertificateRefs contains one or more references to Kubernetes objects that 133 contain a PEM-encoded TLS CA certificate bundle, which is used to 134 validate a TLS handshake between the Gateway and backend Pod. 135 136 137 If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be 138 specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, 139 not both. If CACertifcateRefs is empty or unspecified, the configuration for 140 WellKnownCACertificates MUST be honored instead if supported by the implementation. 141 142 143 References to a resource in a different namespace are invalid for the 144 moment, although we will revisit this in the future. 145 146 147 A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. 148 Implementations MAY choose to support attaching multiple certificates to 149 a backend, but this behavior is implementation-specific. 150 151 152 Support: Core - An optional single reference to a Kubernetes ConfigMap, 153 with the CA certificate in a key named `ca.crt`. 154 155 156 Support: Implementation-specific (More than one reference, or other kinds 157 of resources). 158 items: 159 description: |- 160 LocalObjectReference identifies an API object within the namespace of the 161 referrer. 162 The API object must be valid in the cluster; the Group and Kind must 163 be registered in the cluster for this reference to be valid. 164 165 166 References to objects with invalid Group and Kind are not valid, and must 167 be rejected by the implementation, with appropriate Conditions set 168 on the containing object. 169 properties: 170 group: 171 description: |- 172 Group is the group of the referent. For example, "gateway.networking.k8s.io". 173 When unspecified or empty string, core API group is inferred. 174 maxLength: 253 175 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 176 type: string 177 kind: 178 description: Kind is kind of the referent. For example "HTTPRoute" 179 or "Service". 180 maxLength: 63 181 minLength: 1 182 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 183 type: string 184 name: 185 description: Name is the name of the referent. 186 maxLength: 253 187 minLength: 1 188 type: string 189 required: 190 - group 191 - kind 192 - name 193 type: object 194 maxItems: 8 195 type: array 196 hostname: 197 description: |- 198 Hostname is used for two purposes in the connection between Gateways and 199 backends: 200 201 202 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). 203 2. Hostname MUST be used for authentication and MUST match the certificate 204 served by the matching backend. 205 206 207 Support: Core 208 maxLength: 253 209 minLength: 1 210 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 211 type: string 212 wellKnownCACertificates: 213 description: |- 214 WellKnownCACertificates specifies whether system CA certificates may be used in 215 the TLS handshake between the gateway and backend pod. 216 217 218 If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs 219 must be specified with at least one entry for a valid configuration. Only one of 220 CACertificateRefs or WellKnownCACertificates may be specified, not both. If an 221 implementation does not support the WellKnownCACertificates field or the value 222 supplied is not supported, the Status Conditions on the Policy MUST be 223 updated to include an Accepted: False Condition with Reason: Invalid. 224 225 226 Support: Implementation-specific 227 enum: 228 - System 229 type: string 230 required: 231 - hostname 232 type: object 233 x-kubernetes-validations: 234 - message: must not contain both CACertificateRefs and WellKnownCACertificates 235 rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) 236 > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates 237 != "")' 238 - message: must specify either CACertificateRefs or WellKnownCACertificates 239 rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) 240 > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates 241 != "") 242 required: 243 - targetRefs 244 - validation 245 type: object 246 status: 247 description: Status defines the current state of BackendTLSPolicy. 248 properties: 249 ancestors: 250 description: |- 251 Ancestors is a list of ancestor resources (usually Gateways) that are 252 associated with the policy, and the status of the policy with respect to 253 each ancestor. When this policy attaches to a parent, the controller that 254 manages the parent and the ancestors MUST add an entry to this list when 255 the controller first sees the policy and SHOULD update the entry as 256 appropriate when the relevant ancestor is modified. 257 258 259 Note that choosing the relevant ancestor is left to the Policy designers; 260 an important part of Policy design is designing the right object level at 261 which to namespace this status. 262 263 264 Note also that implementations MUST ONLY populate ancestor status for 265 the Ancestor resources they are responsible for. Implementations MUST 266 use the ControllerName field to uniquely identify the entries in this list 267 that they are responsible for. 268 269 270 Note that to achieve this, the list of PolicyAncestorStatus structs 271 MUST be treated as a map with a composite key, made up of the AncestorRef 272 and ControllerName fields combined. 273 274 275 A maximum of 16 ancestors will be represented in this list. An empty list 276 means the Policy is not relevant for any ancestors. 277 278 279 If this slice is full, implementations MUST NOT add further entries. 280 Instead they MUST consider the policy unimplementable and signal that 281 on any related resources such as the ancestor that would be referenced 282 here. For example, if this list was full on BackendTLSPolicy, no 283 additional Gateways would be able to reference the Service targeted by 284 the BackendTLSPolicy. 285 items: 286 description: |- 287 PolicyAncestorStatus describes the status of a route with respect to an 288 associated Ancestor. 289 290 291 Ancestors refer to objects that are either the Target of a policy or above it 292 in terms of object hierarchy. For example, if a policy targets a Service, the 293 Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and 294 the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most 295 useful object to place Policy status on, so we recommend that implementations 296 SHOULD use Gateway as the PolicyAncestorStatus object unless the designers 297 have a _very_ good reason otherwise. 298 299 300 In the context of policy attachment, the Ancestor is used to distinguish which 301 resource results in a distinct application of this policy. For example, if a policy 302 targets a Service, it may have a distinct result per attached Gateway. 303 304 305 Policies targeting the same resource may have different effects depending on the 306 ancestors of those resources. For example, different Gateways targeting the same 307 Service may have different capabilities, especially if they have different underlying 308 implementations. 309 310 311 For example, in BackendTLSPolicy, the Policy attaches to a Service that is 312 used as a backend in a HTTPRoute that is itself attached to a Gateway. 313 In this case, the relevant object for status is the Gateway, and that is the 314 ancestor object referred to in this status. 315 316 317 Note that a parent is also an ancestor, so for objects where the parent is the 318 relevant object for status, this struct SHOULD still be used. 319 320 321 This struct is intended to be used in a slice that's effectively a map, 322 with a composite key made up of the AncestorRef and the ControllerName. 323 properties: 324 ancestorRef: 325 description: |- 326 AncestorRef corresponds with a ParentRef in the spec that this 327 PolicyAncestorStatus struct describes the status of. 328 properties: 329 group: 330 default: gateway.networking.k8s.io 331 description: |- 332 Group is the group of the referent. 333 When unspecified, "gateway.networking.k8s.io" is inferred. 334 To set the core API group (such as for a "Service" kind referent), 335 Group must be explicitly set to "" (empty string). 336 337 338 Support: Core 339 maxLength: 253 340 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 341 type: string 342 kind: 343 default: Gateway 344 description: |- 345 Kind is kind of the referent. 346 347 348 There are two kinds of parent resources with "Core" support: 349 350 351 * Gateway (Gateway conformance profile) 352 * Service (Mesh conformance profile, ClusterIP Services only) 353 354 355 Support for other resources is Implementation-Specific. 356 maxLength: 63 357 minLength: 1 358 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 359 type: string 360 name: 361 description: |- 362 Name is the name of the referent. 363 364 365 Support: Core 366 maxLength: 253 367 minLength: 1 368 type: string 369 namespace: 370 description: |- 371 Namespace is the namespace of the referent. When unspecified, this refers 372 to the local namespace of the Route. 373 374 375 Note that there are specific rules for ParentRefs which cross namespace 376 boundaries. Cross-namespace references are only valid if they are explicitly 377 allowed by something in the namespace they are referring to. For example: 378 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 379 generic way to enable any other kind of cross-namespace reference. 380 381 382 383 ParentRefs from a Route to a Service in the same namespace are "producer" 384 routes, which apply default routing rules to inbound connections from 385 any namespace to the Service. 386 387 388 ParentRefs from a Route to a Service in a different namespace are 389 "consumer" routes, and these routing rules are only applied to outbound 390 connections originating from the same namespace as the Route, for which 391 the intended destination of the connections are a Service targeted as a 392 ParentRef of the Route. 393 394 395 396 Support: Core 397 maxLength: 63 398 minLength: 1 399 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 400 type: string 401 port: 402 description: |- 403 Port is the network port this Route targets. It can be interpreted 404 differently based on the type of parent resource. 405 406 407 When the parent resource is a Gateway, this targets all listeners 408 listening on the specified port that also support this kind of Route(and 409 select this Route). It's not recommended to set `Port` unless the 410 networking behaviors specified in a Route must apply to a specific port 411 as opposed to a listener(s) whose port(s) may be changed. When both Port 412 and SectionName are specified, the name and port of the selected listener 413 must match both specified values. 414 415 416 417 When the parent resource is a Service, this targets a specific port in the 418 Service spec. When both Port (experimental) and SectionName are specified, 419 the name and port of the selected port must match both specified values. 420 421 422 423 Implementations MAY choose to support other parent resources. 424 Implementations supporting other types of parent resources MUST clearly 425 document how/if Port is interpreted. 426 427 428 For the purpose of status, an attachment is considered successful as 429 long as the parent resource accepts it partially. For example, Gateway 430 listeners can restrict which Routes can attach to them by Route kind, 431 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 432 from the referencing Route, the Route MUST be considered successfully 433 attached. If no Gateway listeners accept attachment from this Route, 434 the Route MUST be considered detached from the Gateway. 435 436 437 Support: Extended 438 format: int32 439 maximum: 65535 440 minimum: 1 441 type: integer 442 sectionName: 443 description: |- 444 SectionName is the name of a section within the target resource. In the 445 following resources, SectionName is interpreted as the following: 446 447 448 * Gateway: Listener name. When both Port (experimental) and SectionName 449 are specified, the name and port of the selected listener must match 450 both specified values. 451 * Service: Port name. When both Port (experimental) and SectionName 452 are specified, the name and port of the selected listener must match 453 both specified values. 454 455 456 Implementations MAY choose to support attaching Routes to other resources. 457 If that is the case, they MUST clearly document how SectionName is 458 interpreted. 459 460 461 When unspecified (empty string), this will reference the entire resource. 462 For the purpose of status, an attachment is considered successful if at 463 least one section in the parent resource accepts it. For example, Gateway 464 listeners can restrict which Routes can attach to them by Route kind, 465 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 466 the referencing Route, the Route MUST be considered successfully 467 attached. If no Gateway listeners accept attachment from this Route, the 468 Route MUST be considered detached from the Gateway. 469 470 471 Support: Core 472 maxLength: 253 473 minLength: 1 474 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 475 type: string 476 required: 477 - name 478 type: object 479 conditions: 480 description: Conditions describes the status of the Policy with 481 respect to the given Ancestor. 482 items: 483 description: "Condition contains details for one aspect of 484 the current state of this API Resource.\n---\nThis struct 485 is intended for direct use as an array at the field path 486 .status.conditions. For example,\n\n\n\ttype FooStatus 487 struct{\n\t // Represents the observations of a foo's 488 current state.\n\t // Known .status.conditions.type are: 489 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 490 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 491 +listType=map\n\t // +listMapKey=type\n\t Conditions 492 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 493 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 494 \ // other fields\n\t}" 495 properties: 496 lastTransitionTime: 497 description: |- 498 lastTransitionTime is the last time the condition transitioned from one status to another. 499 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 500 format: date-time 501 type: string 502 message: 503 description: |- 504 message is a human readable message indicating details about the transition. 505 This may be an empty string. 506 maxLength: 32768 507 type: string 508 observedGeneration: 509 description: |- 510 observedGeneration represents the .metadata.generation that the condition was set based upon. 511 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 512 with respect to the current state of the instance. 513 format: int64 514 minimum: 0 515 type: integer 516 reason: 517 description: |- 518 reason contains a programmatic identifier indicating the reason for the condition's last transition. 519 Producers of specific condition types may define expected values and meanings for this field, 520 and whether the values are considered a guaranteed API. 521 The value should be a CamelCase string. 522 This field may not be empty. 523 maxLength: 1024 524 minLength: 1 525 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 526 type: string 527 status: 528 description: status of the condition, one of True, False, 529 Unknown. 530 enum: 531 - "True" 532 - "False" 533 - Unknown 534 type: string 535 type: 536 description: |- 537 type of condition in CamelCase or in foo.example.com/CamelCase. 538 --- 539 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 540 useful (see .node.status.conditions), the ability to deconflict is important. 541 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 542 maxLength: 316 543 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 544 type: string 545 required: 546 - lastTransitionTime 547 - message 548 - reason 549 - status 550 - type 551 type: object 552 maxItems: 8 553 minItems: 1 554 type: array 555 x-kubernetes-list-map-keys: 556 - type 557 x-kubernetes-list-type: map 558 controllerName: 559 description: |- 560 ControllerName is a domain/path string that indicates the name of the 561 controller that wrote this status. This corresponds with the 562 controllerName field on GatewayClass. 563 564 565 Example: "example.net/gateway-controller". 566 567 568 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 569 valid Kubernetes names 570 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 571 572 573 Controllers MUST populate this field when writing status. Controllers should ensure that 574 entries to status populated with their ControllerName are cleaned up when they are no 575 longer necessary. 576 maxLength: 253 577 minLength: 1 578 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 579 type: string 580 required: 581 - ancestorRef 582 - controllerName 583 type: object 584 maxItems: 16 585 type: array 586 required: 587 - ancestors 588 type: object 589 required: 590 - spec 591 type: object 592 served: true 593 storage: true 594 subresources: 595 status: {} 596 status: 597 acceptedNames: 598 kind: "" 599 plural: "" 600 conditions: null 601 storedVersions: null 602 --- 603 apiVersion: apiextensions.k8s.io/v1 604 kind: CustomResourceDefinition 605 metadata: 606 annotations: 607 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 608 gateway.networking.k8s.io/bundle-version: v1.1.0 609 gateway.networking.k8s.io/channel: experimental 610 creationTimestamp: null 611 name: gatewayclasses.gateway.networking.k8s.io 612 spec: 613 group: gateway.networking.k8s.io 614 names: 615 categories: 616 - gateway-api 617 kind: GatewayClass 618 listKind: GatewayClassList 619 plural: gatewayclasses 620 shortNames: 621 - gc 622 singular: gatewayclass 623 scope: Cluster 624 versions: 625 - additionalPrinterColumns: 626 - jsonPath: .spec.controllerName 627 name: Controller 628 type: string 629 - jsonPath: .status.conditions[?(@.type=="Accepted")].status 630 name: Accepted 631 type: string 632 - jsonPath: .metadata.creationTimestamp 633 name: Age 634 type: date 635 - jsonPath: .spec.description 636 name: Description 637 priority: 1 638 type: string 639 name: v1 640 schema: 641 openAPIV3Schema: 642 description: |- 643 GatewayClass describes a class of Gateways available to the user for creating 644 Gateway resources. 645 646 647 It is recommended that this resource be used as a template for Gateways. This 648 means that a Gateway is based on the state of the GatewayClass at the time it 649 was created and changes to the GatewayClass or associated parameters are not 650 propagated down to existing Gateways. This recommendation is intended to 651 limit the blast radius of changes to GatewayClass or associated parameters. 652 If implementations choose to propagate GatewayClass changes to existing 653 Gateways, that MUST be clearly documented by the implementation. 654 655 656 Whenever one or more Gateways are using a GatewayClass, implementations SHOULD 657 add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the 658 associated GatewayClass. This ensures that a GatewayClass associated with a 659 Gateway is not deleted while in use. 660 661 662 GatewayClass is a Cluster level resource. 663 properties: 664 apiVersion: 665 description: |- 666 APIVersion defines the versioned schema of this representation of an object. 667 Servers should convert recognized schemas to the latest internal value, and 668 may reject unrecognized values. 669 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 670 type: string 671 kind: 672 description: |- 673 Kind is a string value representing the REST resource this object represents. 674 Servers may infer this from the endpoint the client submits requests to. 675 Cannot be updated. 676 In CamelCase. 677 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 678 type: string 679 metadata: 680 type: object 681 spec: 682 description: Spec defines the desired state of GatewayClass. 683 properties: 684 controllerName: 685 description: |- 686 ControllerName is the name of the controller that is managing Gateways of 687 this class. The value of this field MUST be a domain prefixed path. 688 689 690 Example: "example.net/gateway-controller". 691 692 693 This field is not mutable and cannot be empty. 694 695 696 Support: Core 697 maxLength: 253 698 minLength: 1 699 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 700 type: string 701 x-kubernetes-validations: 702 - message: Value is immutable 703 rule: self == oldSelf 704 description: 705 description: Description helps describe a GatewayClass with more details. 706 maxLength: 64 707 type: string 708 parametersRef: 709 description: |- 710 ParametersRef is a reference to a resource that contains the configuration 711 parameters corresponding to the GatewayClass. This is optional if the 712 controller does not require any additional configuration. 713 714 715 ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, 716 or an implementation-specific custom resource. The resource can be 717 cluster-scoped or namespace-scoped. 718 719 720 If the referent cannot be found, the GatewayClass's "InvalidParameters" 721 status condition will be true. 722 723 724 A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, 725 the merging behavior is implementation specific. 726 It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. 727 728 729 Support: Implementation-specific 730 properties: 731 group: 732 description: Group is the group of the referent. 733 maxLength: 253 734 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 735 type: string 736 kind: 737 description: Kind is kind of the referent. 738 maxLength: 63 739 minLength: 1 740 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 741 type: string 742 name: 743 description: Name is the name of the referent. 744 maxLength: 253 745 minLength: 1 746 type: string 747 namespace: 748 description: |- 749 Namespace is the namespace of the referent. 750 This field is required when referring to a Namespace-scoped resource and 751 MUST be unset when referring to a Cluster-scoped resource. 752 maxLength: 63 753 minLength: 1 754 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 755 type: string 756 required: 757 - group 758 - kind 759 - name 760 type: object 761 required: 762 - controllerName 763 type: object 764 status: 765 default: 766 conditions: 767 - lastTransitionTime: "1970-01-01T00:00:00Z" 768 message: Waiting for controller 769 reason: Waiting 770 status: Unknown 771 type: Accepted 772 description: |- 773 Status defines the current state of GatewayClass. 774 775 776 Implementations MUST populate status on all GatewayClass resources which 777 specify their controller name. 778 properties: 779 conditions: 780 default: 781 - lastTransitionTime: "1970-01-01T00:00:00Z" 782 message: Waiting for controller 783 reason: Pending 784 status: Unknown 785 type: Accepted 786 description: |- 787 Conditions is the current status from the controller for 788 this GatewayClass. 789 790 791 Controllers should prefer to publish conditions using values 792 of GatewayClassConditionType for the type of each Condition. 793 items: 794 description: "Condition contains details for one aspect of the current 795 state of this API Resource.\n---\nThis struct is intended for 796 direct use as an array at the field path .status.conditions. For 797 example,\n\n\n\ttype FooStatus struct{\n\t // Represents the 798 observations of a foo's current state.\n\t // Known .status.conditions.type 799 are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // 800 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t 801 \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" 802 patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 803 \ // other fields\n\t}" 804 properties: 805 lastTransitionTime: 806 description: |- 807 lastTransitionTime is the last time the condition transitioned from one status to another. 808 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 809 format: date-time 810 type: string 811 message: 812 description: |- 813 message is a human readable message indicating details about the transition. 814 This may be an empty string. 815 maxLength: 32768 816 type: string 817 observedGeneration: 818 description: |- 819 observedGeneration represents the .metadata.generation that the condition was set based upon. 820 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 821 with respect to the current state of the instance. 822 format: int64 823 minimum: 0 824 type: integer 825 reason: 826 description: |- 827 reason contains a programmatic identifier indicating the reason for the condition's last transition. 828 Producers of specific condition types may define expected values and meanings for this field, 829 and whether the values are considered a guaranteed API. 830 The value should be a CamelCase string. 831 This field may not be empty. 832 maxLength: 1024 833 minLength: 1 834 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 835 type: string 836 status: 837 description: status of the condition, one of True, False, Unknown. 838 enum: 839 - "True" 840 - "False" 841 - Unknown 842 type: string 843 type: 844 description: |- 845 type of condition in CamelCase or in foo.example.com/CamelCase. 846 --- 847 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 848 useful (see .node.status.conditions), the ability to deconflict is important. 849 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 850 maxLength: 316 851 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 852 type: string 853 required: 854 - lastTransitionTime 855 - message 856 - reason 857 - status 858 - type 859 type: object 860 maxItems: 8 861 type: array 862 x-kubernetes-list-map-keys: 863 - type 864 x-kubernetes-list-type: map 865 supportedFeatures: 866 description: | 867 SupportedFeatures is the set of features the GatewayClass support. 868 It MUST be sorted in ascending alphabetical order. 869 items: 870 description: |- 871 SupportedFeature is used to describe distinct features that are covered by 872 conformance tests. 873 type: string 874 maxItems: 64 875 type: array 876 x-kubernetes-list-type: set 877 type: object 878 required: 879 - spec 880 type: object 881 served: true 882 storage: true 883 subresources: 884 status: {} 885 - additionalPrinterColumns: 886 - jsonPath: .spec.controllerName 887 name: Controller 888 type: string 889 - jsonPath: .status.conditions[?(@.type=="Accepted")].status 890 name: Accepted 891 type: string 892 - jsonPath: .metadata.creationTimestamp 893 name: Age 894 type: date 895 - jsonPath: .spec.description 896 name: Description 897 priority: 1 898 type: string 899 name: v1beta1 900 schema: 901 openAPIV3Schema: 902 description: |- 903 GatewayClass describes a class of Gateways available to the user for creating 904 Gateway resources. 905 906 907 It is recommended that this resource be used as a template for Gateways. This 908 means that a Gateway is based on the state of the GatewayClass at the time it 909 was created and changes to the GatewayClass or associated parameters are not 910 propagated down to existing Gateways. This recommendation is intended to 911 limit the blast radius of changes to GatewayClass or associated parameters. 912 If implementations choose to propagate GatewayClass changes to existing 913 Gateways, that MUST be clearly documented by the implementation. 914 915 916 Whenever one or more Gateways are using a GatewayClass, implementations SHOULD 917 add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the 918 associated GatewayClass. This ensures that a GatewayClass associated with a 919 Gateway is not deleted while in use. 920 921 922 GatewayClass is a Cluster level resource. 923 properties: 924 apiVersion: 925 description: |- 926 APIVersion defines the versioned schema of this representation of an object. 927 Servers should convert recognized schemas to the latest internal value, and 928 may reject unrecognized values. 929 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 930 type: string 931 kind: 932 description: |- 933 Kind is a string value representing the REST resource this object represents. 934 Servers may infer this from the endpoint the client submits requests to. 935 Cannot be updated. 936 In CamelCase. 937 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 938 type: string 939 metadata: 940 type: object 941 spec: 942 description: Spec defines the desired state of GatewayClass. 943 properties: 944 controllerName: 945 description: |- 946 ControllerName is the name of the controller that is managing Gateways of 947 this class. The value of this field MUST be a domain prefixed path. 948 949 950 Example: "example.net/gateway-controller". 951 952 953 This field is not mutable and cannot be empty. 954 955 956 Support: Core 957 maxLength: 253 958 minLength: 1 959 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 960 type: string 961 x-kubernetes-validations: 962 - message: Value is immutable 963 rule: self == oldSelf 964 description: 965 description: Description helps describe a GatewayClass with more details. 966 maxLength: 64 967 type: string 968 parametersRef: 969 description: |- 970 ParametersRef is a reference to a resource that contains the configuration 971 parameters corresponding to the GatewayClass. This is optional if the 972 controller does not require any additional configuration. 973 974 975 ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, 976 or an implementation-specific custom resource. The resource can be 977 cluster-scoped or namespace-scoped. 978 979 980 If the referent cannot be found, the GatewayClass's "InvalidParameters" 981 status condition will be true. 982 983 984 A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, 985 the merging behavior is implementation specific. 986 It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. 987 988 989 Support: Implementation-specific 990 properties: 991 group: 992 description: Group is the group of the referent. 993 maxLength: 253 994 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 995 type: string 996 kind: 997 description: Kind is kind of the referent. 998 maxLength: 63 999 minLength: 1 1000 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1001 type: string 1002 name: 1003 description: Name is the name of the referent. 1004 maxLength: 253 1005 minLength: 1 1006 type: string 1007 namespace: 1008 description: |- 1009 Namespace is the namespace of the referent. 1010 This field is required when referring to a Namespace-scoped resource and 1011 MUST be unset when referring to a Cluster-scoped resource. 1012 maxLength: 63 1013 minLength: 1 1014 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1015 type: string 1016 required: 1017 - group 1018 - kind 1019 - name 1020 type: object 1021 required: 1022 - controllerName 1023 type: object 1024 status: 1025 default: 1026 conditions: 1027 - lastTransitionTime: "1970-01-01T00:00:00Z" 1028 message: Waiting for controller 1029 reason: Waiting 1030 status: Unknown 1031 type: Accepted 1032 description: |- 1033 Status defines the current state of GatewayClass. 1034 1035 1036 Implementations MUST populate status on all GatewayClass resources which 1037 specify their controller name. 1038 properties: 1039 conditions: 1040 default: 1041 - lastTransitionTime: "1970-01-01T00:00:00Z" 1042 message: Waiting for controller 1043 reason: Pending 1044 status: Unknown 1045 type: Accepted 1046 description: |- 1047 Conditions is the current status from the controller for 1048 this GatewayClass. 1049 1050 1051 Controllers should prefer to publish conditions using values 1052 of GatewayClassConditionType for the type of each Condition. 1053 items: 1054 description: "Condition contains details for one aspect of the current 1055 state of this API Resource.\n---\nThis struct is intended for 1056 direct use as an array at the field path .status.conditions. For 1057 example,\n\n\n\ttype FooStatus struct{\n\t // Represents the 1058 observations of a foo's current state.\n\t // Known .status.conditions.type 1059 are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // 1060 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t 1061 \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" 1062 patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 1063 \ // other fields\n\t}" 1064 properties: 1065 lastTransitionTime: 1066 description: |- 1067 lastTransitionTime is the last time the condition transitioned from one status to another. 1068 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 1069 format: date-time 1070 type: string 1071 message: 1072 description: |- 1073 message is a human readable message indicating details about the transition. 1074 This may be an empty string. 1075 maxLength: 32768 1076 type: string 1077 observedGeneration: 1078 description: |- 1079 observedGeneration represents the .metadata.generation that the condition was set based upon. 1080 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 1081 with respect to the current state of the instance. 1082 format: int64 1083 minimum: 0 1084 type: integer 1085 reason: 1086 description: |- 1087 reason contains a programmatic identifier indicating the reason for the condition's last transition. 1088 Producers of specific condition types may define expected values and meanings for this field, 1089 and whether the values are considered a guaranteed API. 1090 The value should be a CamelCase string. 1091 This field may not be empty. 1092 maxLength: 1024 1093 minLength: 1 1094 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 1095 type: string 1096 status: 1097 description: status of the condition, one of True, False, Unknown. 1098 enum: 1099 - "True" 1100 - "False" 1101 - Unknown 1102 type: string 1103 type: 1104 description: |- 1105 type of condition in CamelCase or in foo.example.com/CamelCase. 1106 --- 1107 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 1108 useful (see .node.status.conditions), the ability to deconflict is important. 1109 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 1110 maxLength: 316 1111 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 1112 type: string 1113 required: 1114 - lastTransitionTime 1115 - message 1116 - reason 1117 - status 1118 - type 1119 type: object 1120 maxItems: 8 1121 type: array 1122 x-kubernetes-list-map-keys: 1123 - type 1124 x-kubernetes-list-type: map 1125 supportedFeatures: 1126 description: | 1127 SupportedFeatures is the set of features the GatewayClass support. 1128 It MUST be sorted in ascending alphabetical order. 1129 items: 1130 description: |- 1131 SupportedFeature is used to describe distinct features that are covered by 1132 conformance tests. 1133 type: string 1134 maxItems: 64 1135 type: array 1136 x-kubernetes-list-type: set 1137 type: object 1138 required: 1139 - spec 1140 type: object 1141 served: true 1142 storage: false 1143 subresources: 1144 status: {} 1145 status: 1146 acceptedNames: 1147 kind: "" 1148 plural: "" 1149 conditions: null 1150 storedVersions: null 1151 --- 1152 apiVersion: apiextensions.k8s.io/v1 1153 kind: CustomResourceDefinition 1154 metadata: 1155 annotations: 1156 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 1157 gateway.networking.k8s.io/bundle-version: v1.1.0 1158 gateway.networking.k8s.io/channel: experimental 1159 creationTimestamp: null 1160 name: gateways.gateway.networking.k8s.io 1161 spec: 1162 group: gateway.networking.k8s.io 1163 names: 1164 categories: 1165 - gateway-api 1166 kind: Gateway 1167 listKind: GatewayList 1168 plural: gateways 1169 shortNames: 1170 - gtw 1171 singular: gateway 1172 scope: Namespaced 1173 versions: 1174 - additionalPrinterColumns: 1175 - jsonPath: .spec.gatewayClassName 1176 name: Class 1177 type: string 1178 - jsonPath: .status.addresses[*].value 1179 name: Address 1180 type: string 1181 - jsonPath: .status.conditions[?(@.type=="Programmed")].status 1182 name: Programmed 1183 type: string 1184 - jsonPath: .metadata.creationTimestamp 1185 name: Age 1186 type: date 1187 name: v1 1188 schema: 1189 openAPIV3Schema: 1190 description: |- 1191 Gateway represents an instance of a service-traffic handling infrastructure 1192 by binding Listeners to a set of IP addresses. 1193 properties: 1194 apiVersion: 1195 description: |- 1196 APIVersion defines the versioned schema of this representation of an object. 1197 Servers should convert recognized schemas to the latest internal value, and 1198 may reject unrecognized values. 1199 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 1200 type: string 1201 kind: 1202 description: |- 1203 Kind is a string value representing the REST resource this object represents. 1204 Servers may infer this from the endpoint the client submits requests to. 1205 Cannot be updated. 1206 In CamelCase. 1207 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 1208 type: string 1209 metadata: 1210 type: object 1211 spec: 1212 description: Spec defines the desired state of Gateway. 1213 properties: 1214 addresses: 1215 description: |+ 1216 Addresses requested for this Gateway. This is optional and behavior can 1217 depend on the implementation. If a value is set in the spec and the 1218 requested address is invalid or unavailable, the implementation MUST 1219 indicate this in the associated entry in GatewayStatus.Addresses. 1220 1221 1222 The Addresses field represents a request for the address(es) on the 1223 "outside of the Gateway", that traffic bound for this Gateway will use. 1224 This could be the IP address or hostname of an external load balancer or 1225 other networking infrastructure, or some other address that traffic will 1226 be sent to. 1227 1228 1229 If no Addresses are specified, the implementation MAY schedule the 1230 Gateway in an implementation-specific manner, assigning an appropriate 1231 set of Addresses. 1232 1233 1234 The implementation MUST bind all Listeners to every GatewayAddress that 1235 it assigns to the Gateway and add a corresponding entry in 1236 GatewayStatus.Addresses. 1237 1238 1239 Support: Extended 1240 1241 1242 items: 1243 description: GatewayAddress describes an address that can be bound 1244 to a Gateway. 1245 oneOf: 1246 - properties: 1247 type: 1248 enum: 1249 - IPAddress 1250 value: 1251 anyOf: 1252 - format: ipv4 1253 - format: ipv6 1254 - properties: 1255 type: 1256 not: 1257 enum: 1258 - IPAddress 1259 properties: 1260 type: 1261 default: IPAddress 1262 description: Type of the address. 1263 maxLength: 253 1264 minLength: 1 1265 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 1266 type: string 1267 value: 1268 description: |- 1269 Value of the address. The validity of the values will depend 1270 on the type and support by the controller. 1271 1272 1273 Examples: `1.2.3.4`, `128::1`, `my-ip-address`. 1274 maxLength: 253 1275 minLength: 1 1276 type: string 1277 required: 1278 - value 1279 type: object 1280 x-kubernetes-validations: 1281 - message: Hostname value must only contain valid characters (matching 1282 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 1283 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 1284 true' 1285 maxItems: 16 1286 type: array 1287 x-kubernetes-validations: 1288 - message: IPAddress values must be unique 1289 rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, 1290 a2.type == a1.type && a2.value == a1.value) : true )' 1291 - message: Hostname values must be unique 1292 rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, 1293 a2.type == a1.type && a2.value == a1.value) : true )' 1294 gatewayClassName: 1295 description: |- 1296 GatewayClassName used for this Gateway. This is the name of a 1297 GatewayClass resource. 1298 maxLength: 253 1299 minLength: 1 1300 type: string 1301 infrastructure: 1302 description: |+ 1303 Infrastructure defines infrastructure level attributes about this Gateway instance. 1304 1305 1306 Support: Core 1307 1308 1309 properties: 1310 annotations: 1311 additionalProperties: 1312 description: |- 1313 AnnotationValue is the value of an annotation in Gateway API. This is used 1314 for validation of maps such as TLS options. This roughly matches Kubernetes 1315 annotation validation, although the length validation in that case is based 1316 on the entire size of the annotations struct. 1317 maxLength: 4096 1318 minLength: 0 1319 type: string 1320 description: |- 1321 Annotations that SHOULD be applied to any resources created in response to this Gateway. 1322 1323 1324 For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. 1325 For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. 1326 1327 1328 An implementation may chose to add additional implementation-specific annotations as they see fit. 1329 1330 1331 Support: Extended 1332 maxProperties: 8 1333 type: object 1334 labels: 1335 additionalProperties: 1336 description: |- 1337 AnnotationValue is the value of an annotation in Gateway API. This is used 1338 for validation of maps such as TLS options. This roughly matches Kubernetes 1339 annotation validation, although the length validation in that case is based 1340 on the entire size of the annotations struct. 1341 maxLength: 4096 1342 minLength: 0 1343 type: string 1344 description: |- 1345 Labels that SHOULD be applied to any resources created in response to this Gateway. 1346 1347 1348 For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. 1349 For other implementations, this refers to any relevant (implementation specific) "labels" concepts. 1350 1351 1352 An implementation may chose to add additional implementation-specific labels as they see fit. 1353 1354 1355 Support: Extended 1356 maxProperties: 8 1357 type: object 1358 parametersRef: 1359 description: |- 1360 ParametersRef is a reference to a resource that contains the configuration 1361 parameters corresponding to the Gateway. This is optional if the 1362 controller does not require any additional configuration. 1363 1364 1365 This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis 1366 1367 1368 The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, 1369 the merging behavior is implementation specific. 1370 It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. 1371 1372 1373 Support: Implementation-specific 1374 properties: 1375 group: 1376 description: Group is the group of the referent. 1377 maxLength: 253 1378 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1379 type: string 1380 kind: 1381 description: Kind is kind of the referent. 1382 maxLength: 63 1383 minLength: 1 1384 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1385 type: string 1386 name: 1387 description: Name is the name of the referent. 1388 maxLength: 253 1389 minLength: 1 1390 type: string 1391 required: 1392 - group 1393 - kind 1394 - name 1395 type: object 1396 type: object 1397 listeners: 1398 description: |- 1399 Listeners associated with this Gateway. Listeners define 1400 logical endpoints that are bound on this Gateway's addresses. 1401 At least one Listener MUST be specified. 1402 1403 1404 Each Listener in a set of Listeners (for example, in a single Gateway) 1405 MUST be _distinct_, in that a traffic flow MUST be able to be assigned to 1406 exactly one listener. (This section uses "set of Listeners" rather than 1407 "Listeners in a single Gateway" because implementations MAY merge configuration 1408 from multiple Gateways onto a single data plane, and these rules _also_ 1409 apply in that case). 1410 1411 1412 Practically, this means that each listener in a set MUST have a unique 1413 combination of Port, Protocol, and, if supported by the protocol, Hostname. 1414 1415 1416 Some combinations of port, protocol, and TLS settings are considered 1417 Core support and MUST be supported by implementations based on their 1418 targeted conformance profile: 1419 1420 1421 HTTP Profile 1422 1423 1424 1. HTTPRoute, Port: 80, Protocol: HTTP 1425 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided 1426 1427 1428 TLS Profile 1429 1430 1431 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough 1432 1433 1434 "Distinct" Listeners have the following property: 1435 1436 1437 The implementation can match inbound requests to a single distinct 1438 Listener. When multiple Listeners share values for fields (for 1439 example, two Listeners with the same Port value), the implementation 1440 can match requests to only one of the Listeners using other 1441 Listener fields. 1442 1443 1444 For example, the following Listener scenarios are distinct: 1445 1446 1447 1. Multiple Listeners with the same Port that all use the "HTTP" 1448 Protocol that all have unique Hostname values. 1449 2. Multiple Listeners with the same Port that use either the "HTTPS" or 1450 "TLS" Protocol that all have unique Hostname values. 1451 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener 1452 with the same Protocol has the same Port value. 1453 1454 1455 Some fields in the Listener struct have possible values that affect 1456 whether the Listener is distinct. Hostname is particularly relevant 1457 for HTTP or HTTPS protocols. 1458 1459 1460 When using the Hostname value to select between same-Port, same-Protocol 1461 Listeners, the Hostname value must be different on each Listener for the 1462 Listener to be distinct. 1463 1464 1465 When the Listeners are distinct based on Hostname, inbound request 1466 hostnames MUST match from the most specific to least specific Hostname 1467 values to choose the correct Listener and its associated set of Routes. 1468 1469 1470 Exact matches must be processed before wildcard matches, and wildcard 1471 matches must be processed before fallback (empty Hostname value) 1472 matches. For example, `"foo.example.com"` takes precedence over 1473 `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. 1474 1475 1476 Additionally, if there are multiple wildcard entries, more specific 1477 wildcard entries must be processed before less specific wildcard entries. 1478 For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. 1479 The precise definition here is that the higher the number of dots in the 1480 hostname to the right of the wildcard character, the higher the precedence. 1481 1482 1483 The wildcard character will match any number of characters _and dots_ to 1484 the left, however, so `"*.example.com"` will match both 1485 `"foo.bar.example.com"` _and_ `"bar.example.com"`. 1486 1487 1488 If a set of Listeners contains Listeners that are not distinct, then those 1489 Listeners are Conflicted, and the implementation MUST set the "Conflicted" 1490 condition in the Listener Status to "True". 1491 1492 1493 Implementations MAY choose to accept a Gateway with some Conflicted 1494 Listeners only if they only accept the partial Listener set that contains 1495 no Conflicted Listeners. To put this another way, implementations may 1496 accept a partial Listener set only if they throw out *all* the conflicting 1497 Listeners. No picking one of the conflicting listeners as the winner. 1498 This also means that the Gateway must have at least one non-conflicting 1499 Listener in this case, otherwise it violates the requirement that at 1500 least one Listener must be present. 1501 1502 1503 The implementation MUST set a "ListenersNotValid" condition on the 1504 Gateway Status when the Gateway contains Conflicted Listeners whether or 1505 not they accept the Gateway. That Condition SHOULD clearly 1506 indicate in the Message which Listeners are conflicted, and which are 1507 Accepted. Additionally, the Listener status for those listeners SHOULD 1508 indicate which Listeners are conflicted and not Accepted. 1509 1510 1511 A Gateway's Listeners are considered "compatible" if: 1512 1513 1514 1. They are distinct. 1515 2. The implementation can serve them in compliance with the Addresses 1516 requirement that all Listeners are available on all assigned 1517 addresses. 1518 1519 1520 Compatible combinations in Extended support are expected to vary across 1521 implementations. A combination that is compatible for one implementation 1522 may not be compatible for another. 1523 1524 1525 For example, an implementation that cannot serve both TCP and UDP listeners 1526 on the same address, or cannot mix HTTPS and generic TLS listens on the same port 1527 would not consider those cases compatible, even though they are distinct. 1528 1529 1530 Note that requests SHOULD match at most one Listener. For example, if 1531 Listeners are defined for "foo.example.com" and "*.example.com", a 1532 request to "foo.example.com" SHOULD only be routed using routes attached 1533 to the "foo.example.com" Listener (and not the "*.example.com" Listener). 1534 This concept is known as "Listener Isolation". Implementations that do 1535 not support Listener Isolation MUST clearly document this. 1536 1537 1538 Implementations MAY merge separate Gateways onto a single set of 1539 Addresses if all Listeners across all Gateways are compatible. 1540 1541 1542 Support: Core 1543 items: 1544 description: |- 1545 Listener embodies the concept of a logical endpoint where a Gateway accepts 1546 network connections. 1547 properties: 1548 allowedRoutes: 1549 default: 1550 namespaces: 1551 from: Same 1552 description: |- 1553 AllowedRoutes defines the types of routes that MAY be attached to a 1554 Listener and the trusted namespaces where those Route resources MAY be 1555 present. 1556 1557 1558 Although a client request may match multiple route rules, only one rule 1559 may ultimately receive the request. Matching precedence MUST be 1560 determined in order of the following criteria: 1561 1562 1563 * The most specific match as defined by the Route type. 1564 * The oldest Route based on creation timestamp. For example, a Route with 1565 a creation timestamp of "2020-09-08 01:02:03" is given precedence over 1566 a Route with a creation timestamp of "2020-09-08 01:02:04". 1567 * If everything else is equivalent, the Route appearing first in 1568 alphabetical order (namespace/name) should be given precedence. For 1569 example, foo/bar is given precedence over foo/baz. 1570 1571 1572 All valid rules within a Route attached to this Listener should be 1573 implemented. Invalid Route rules can be ignored (sometimes that will mean 1574 the full Route). If a Route rule transitions from valid to invalid, 1575 support for that Route rule should be dropped to ensure consistency. For 1576 example, even if a filter specified by a Route rule is invalid, the rest 1577 of the rules within that Route should still be supported. 1578 1579 1580 Support: Core 1581 properties: 1582 kinds: 1583 description: |- 1584 Kinds specifies the groups and kinds of Routes that are allowed to bind 1585 to this Gateway Listener. When unspecified or empty, the kinds of Routes 1586 selected are determined using the Listener protocol. 1587 1588 1589 A RouteGroupKind MUST correspond to kinds of Routes that are compatible 1590 with the application protocol specified in the Listener's Protocol field. 1591 If an implementation does not support or recognize this resource type, it 1592 MUST set the "ResolvedRefs" condition to False for this Listener with the 1593 "InvalidRouteKinds" reason. 1594 1595 1596 Support: Core 1597 items: 1598 description: RouteGroupKind indicates the group and kind 1599 of a Route resource. 1600 properties: 1601 group: 1602 default: gateway.networking.k8s.io 1603 description: Group is the group of the Route. 1604 maxLength: 253 1605 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1606 type: string 1607 kind: 1608 description: Kind is the kind of the Route. 1609 maxLength: 63 1610 minLength: 1 1611 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1612 type: string 1613 required: 1614 - kind 1615 type: object 1616 maxItems: 8 1617 type: array 1618 namespaces: 1619 default: 1620 from: Same 1621 description: |- 1622 Namespaces indicates namespaces from which Routes may be attached to this 1623 Listener. This is restricted to the namespace of this Gateway by default. 1624 1625 1626 Support: Core 1627 properties: 1628 from: 1629 default: Same 1630 description: |- 1631 From indicates where Routes will be selected for this Gateway. Possible 1632 values are: 1633 1634 1635 * All: Routes in all namespaces may be used by this Gateway. 1636 * Selector: Routes in namespaces selected by the selector may be used by 1637 this Gateway. 1638 * Same: Only Routes in the same namespace may be used by this Gateway. 1639 1640 1641 Support: Core 1642 enum: 1643 - All 1644 - Selector 1645 - Same 1646 type: string 1647 selector: 1648 description: |- 1649 Selector must be specified when From is set to "Selector". In that case, 1650 only Routes in Namespaces matching this Selector will be selected by this 1651 Gateway. This field is ignored for other values of "From". 1652 1653 1654 Support: Core 1655 properties: 1656 matchExpressions: 1657 description: matchExpressions is a list of label 1658 selector requirements. The requirements are ANDed. 1659 items: 1660 description: |- 1661 A label selector requirement is a selector that contains values, a key, and an operator that 1662 relates the key and values. 1663 properties: 1664 key: 1665 description: key is the label key that the 1666 selector applies to. 1667 type: string 1668 operator: 1669 description: |- 1670 operator represents a key's relationship to a set of values. 1671 Valid operators are In, NotIn, Exists and DoesNotExist. 1672 type: string 1673 values: 1674 description: |- 1675 values is an array of string values. If the operator is In or NotIn, 1676 the values array must be non-empty. If the operator is Exists or DoesNotExist, 1677 the values array must be empty. This array is replaced during a strategic 1678 merge patch. 1679 items: 1680 type: string 1681 type: array 1682 x-kubernetes-list-type: atomic 1683 required: 1684 - key 1685 - operator 1686 type: object 1687 type: array 1688 x-kubernetes-list-type: atomic 1689 matchLabels: 1690 additionalProperties: 1691 type: string 1692 description: |- 1693 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 1694 map is equivalent to an element of matchExpressions, whose key field is "key", the 1695 operator is "In", and the values array contains only "value". The requirements are ANDed. 1696 type: object 1697 type: object 1698 x-kubernetes-map-type: atomic 1699 type: object 1700 type: object 1701 hostname: 1702 description: |- 1703 Hostname specifies the virtual hostname to match for protocol types that 1704 define this concept. When unspecified, all hostnames are matched. This 1705 field is ignored for protocols that don't require hostname based 1706 matching. 1707 1708 1709 Implementations MUST apply Hostname matching appropriately for each of 1710 the following protocols: 1711 1712 1713 * TLS: The Listener Hostname MUST match the SNI. 1714 * HTTP: The Listener Hostname MUST match the Host header of the request. 1715 * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP 1716 protocol layers as described above. If an implementation does not 1717 ensure that both the SNI and Host header match the Listener hostname, 1718 it MUST clearly document that. 1719 1720 1721 For HTTPRoute and TLSRoute resources, there is an interaction with the 1722 `spec.hostnames` array. When both listener and route specify hostnames, 1723 there MUST be an intersection between the values for a Route to be 1724 accepted. For more information, refer to the Route specific Hostnames 1725 documentation. 1726 1727 1728 Hostnames that are prefixed with a wildcard label (`*.`) are interpreted 1729 as a suffix match. That means that a match for `*.example.com` would match 1730 both `test.example.com`, and `foo.test.example.com`, but not `example.com`. 1731 1732 1733 Support: Core 1734 maxLength: 253 1735 minLength: 1 1736 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1737 type: string 1738 name: 1739 description: |- 1740 Name is the name of the Listener. This name MUST be unique within a 1741 Gateway. 1742 1743 1744 Support: Core 1745 maxLength: 253 1746 minLength: 1 1747 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1748 type: string 1749 port: 1750 description: |- 1751 Port is the network port. Multiple listeners may use the 1752 same port, subject to the Listener compatibility rules. 1753 1754 1755 Support: Core 1756 format: int32 1757 maximum: 65535 1758 minimum: 1 1759 type: integer 1760 protocol: 1761 description: |- 1762 Protocol specifies the network protocol this listener expects to receive. 1763 1764 1765 Support: Core 1766 maxLength: 255 1767 minLength: 1 1768 pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ 1769 type: string 1770 tls: 1771 description: |- 1772 TLS is the TLS configuration for the Listener. This field is required if 1773 the Protocol field is "HTTPS" or "TLS". It is invalid to set this field 1774 if the Protocol field is "HTTP", "TCP", or "UDP". 1775 1776 1777 The association of SNIs to Certificate defined in GatewayTLSConfig is 1778 defined based on the Hostname field for this listener. 1779 1780 1781 The GatewayClass MUST use the longest matching SNI out of all 1782 available certificates for any TLS handshake. 1783 1784 1785 Support: Core 1786 properties: 1787 certificateRefs: 1788 description: |- 1789 CertificateRefs contains a series of references to Kubernetes objects that 1790 contains TLS certificates and private keys. These certificates are used to 1791 establish a TLS handshake for requests that match the hostname of the 1792 associated listener. 1793 1794 1795 A single CertificateRef to a Kubernetes Secret has "Core" support. 1796 Implementations MAY choose to support attaching multiple certificates to 1797 a Listener, but this behavior is implementation-specific. 1798 1799 1800 References to a resource in different namespace are invalid UNLESS there 1801 is a ReferenceGrant in the target namespace that allows the certificate 1802 to be attached. If a ReferenceGrant does not allow this reference, the 1803 "ResolvedRefs" condition MUST be set to False for this listener with the 1804 "RefNotPermitted" reason. 1805 1806 1807 This field is required to have at least one element when the mode is set 1808 to "Terminate" (default) and is optional otherwise. 1809 1810 1811 CertificateRefs can reference to standard Kubernetes resources, i.e. 1812 Secret, or implementation-specific custom resources. 1813 1814 1815 Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls 1816 1817 1818 Support: Implementation-specific (More than one reference or other resource types) 1819 items: 1820 description: |- 1821 SecretObjectReference identifies an API object including its namespace, 1822 defaulting to Secret. 1823 1824 1825 The API object must be valid in the cluster; the Group and Kind must 1826 be registered in the cluster for this reference to be valid. 1827 1828 1829 References to objects with invalid Group and Kind are not valid, and must 1830 be rejected by the implementation, with appropriate Conditions set 1831 on the containing object. 1832 properties: 1833 group: 1834 default: "" 1835 description: |- 1836 Group is the group of the referent. For example, "gateway.networking.k8s.io". 1837 When unspecified or empty string, core API group is inferred. 1838 maxLength: 253 1839 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1840 type: string 1841 kind: 1842 default: Secret 1843 description: Kind is kind of the referent. For example 1844 "Secret". 1845 maxLength: 63 1846 minLength: 1 1847 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1848 type: string 1849 name: 1850 description: Name is the name of the referent. 1851 maxLength: 253 1852 minLength: 1 1853 type: string 1854 namespace: 1855 description: |- 1856 Namespace is the namespace of the referenced object. When unspecified, the local 1857 namespace is inferred. 1858 1859 1860 Note that when a namespace different than the local namespace is specified, 1861 a ReferenceGrant object is required in the referent namespace to allow that 1862 namespace's owner to accept the reference. See the ReferenceGrant 1863 documentation for details. 1864 1865 1866 Support: Core 1867 maxLength: 63 1868 minLength: 1 1869 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1870 type: string 1871 required: 1872 - name 1873 type: object 1874 maxItems: 64 1875 type: array 1876 frontendValidation: 1877 description: |+ 1878 FrontendValidation holds configuration information for validating the frontend (client). 1879 Setting this field will require clients to send a client certificate 1880 required for validation during the TLS handshake. In browsers this may result in a dialog appearing 1881 that requests a user to specify the client certificate. 1882 The maximum depth of a certificate chain accepted in verification is Implementation specific. 1883 1884 1885 Support: Extended 1886 1887 1888 properties: 1889 caCertificateRefs: 1890 description: |- 1891 CACertificateRefs contains one or more references to 1892 Kubernetes objects that contain TLS certificates of 1893 the Certificate Authorities that can be used 1894 as a trust anchor to validate the certificates presented by the client. 1895 1896 1897 A single CA certificate reference to a Kubernetes ConfigMap 1898 has "Core" support. 1899 Implementations MAY choose to support attaching multiple CA certificates to 1900 a Listener, but this behavior is implementation-specific. 1901 1902 1903 Support: Core - A single reference to a Kubernetes ConfigMap 1904 with the CA certificate in a key named `ca.crt`. 1905 1906 1907 Support: Implementation-specific (More than one reference, or other kinds 1908 of resources). 1909 1910 1911 References to a resource in a different namespace are invalid UNLESS there 1912 is a ReferenceGrant in the target namespace that allows the certificate 1913 to be attached. If a ReferenceGrant does not allow this reference, the 1914 "ResolvedRefs" condition MUST be set to False for this listener with the 1915 "RefNotPermitted" reason. 1916 items: 1917 description: |- 1918 ObjectReference identifies an API object including its namespace. 1919 1920 1921 The API object must be valid in the cluster; the Group and Kind must 1922 be registered in the cluster for this reference to be valid. 1923 1924 1925 References to objects with invalid Group and Kind are not valid, and must 1926 be rejected by the implementation, with appropriate Conditions set 1927 on the containing object. 1928 properties: 1929 group: 1930 description: |- 1931 Group is the group of the referent. For example, "gateway.networking.k8s.io". 1932 When unspecified or empty string, core API group is inferred. 1933 maxLength: 253 1934 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1935 type: string 1936 kind: 1937 description: Kind is kind of the referent. For 1938 example "ConfigMap" or "Service". 1939 maxLength: 63 1940 minLength: 1 1941 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1942 type: string 1943 name: 1944 description: Name is the name of the referent. 1945 maxLength: 253 1946 minLength: 1 1947 type: string 1948 namespace: 1949 description: |- 1950 Namespace is the namespace of the referenced object. When unspecified, the local 1951 namespace is inferred. 1952 1953 1954 Note that when a namespace different than the local namespace is specified, 1955 a ReferenceGrant object is required in the referent namespace to allow that 1956 namespace's owner to accept the reference. See the ReferenceGrant 1957 documentation for details. 1958 1959 1960 Support: Core 1961 maxLength: 63 1962 minLength: 1 1963 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1964 type: string 1965 required: 1966 - group 1967 - kind 1968 - name 1969 type: object 1970 maxItems: 8 1971 minItems: 1 1972 type: array 1973 type: object 1974 mode: 1975 default: Terminate 1976 description: |- 1977 Mode defines the TLS behavior for the TLS session initiated by the client. 1978 There are two possible modes: 1979 1980 1981 - Terminate: The TLS session between the downstream client and the 1982 Gateway is terminated at the Gateway. This mode requires certificates 1983 to be specified in some way, such as populating the certificateRefs 1984 field. 1985 - Passthrough: The TLS session is NOT terminated by the Gateway. This 1986 implies that the Gateway can't decipher the TLS stream except for 1987 the ClientHello message of the TLS protocol. The certificateRefs field 1988 is ignored in this mode. 1989 1990 1991 Support: Core 1992 enum: 1993 - Terminate 1994 - Passthrough 1995 type: string 1996 options: 1997 additionalProperties: 1998 description: |- 1999 AnnotationValue is the value of an annotation in Gateway API. This is used 2000 for validation of maps such as TLS options. This roughly matches Kubernetes 2001 annotation validation, although the length validation in that case is based 2002 on the entire size of the annotations struct. 2003 maxLength: 4096 2004 minLength: 0 2005 type: string 2006 description: |- 2007 Options are a list of key/value pairs to enable extended TLS 2008 configuration for each implementation. For example, configuring the 2009 minimum TLS version or supported cipher suites. 2010 2011 2012 A set of common keys MAY be defined by the API in the future. To avoid 2013 any ambiguity, implementation-specific definitions MUST use 2014 domain-prefixed names, such as `example.com/my-custom-option`. 2015 Un-prefixed names are reserved for key names defined by Gateway API. 2016 2017 2018 Support: Implementation-specific 2019 maxProperties: 16 2020 type: object 2021 type: object 2022 x-kubernetes-validations: 2023 - message: certificateRefs or options must be specified when 2024 mode is Terminate 2025 rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) 2026 > 0 || size(self.options) > 0 : true' 2027 required: 2028 - name 2029 - port 2030 - protocol 2031 type: object 2032 maxItems: 64 2033 minItems: 1 2034 type: array 2035 x-kubernetes-list-map-keys: 2036 - name 2037 x-kubernetes-list-type: map 2038 x-kubernetes-validations: 2039 - message: tls must not be specified for protocols ['HTTP', 'TCP', 2040 'UDP'] 2041 rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? 2042 !has(l.tls) : true)' 2043 - message: tls mode must be Terminate for protocol HTTPS 2044 rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode 2045 == '''' || l.tls.mode == ''Terminate'') : true)' 2046 - message: hostname must not be specified for protocols ['TCP', 'UDP'] 2047 rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) 2048 || l.hostname == '''') : true)' 2049 - message: Listener name must be unique within the Gateway 2050 rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) 2051 - message: Combination of port, protocol and hostname must be unique 2052 for each listener 2053 rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol 2054 == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname 2055 == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' 2056 required: 2057 - gatewayClassName 2058 - listeners 2059 type: object 2060 status: 2061 default: 2062 conditions: 2063 - lastTransitionTime: "1970-01-01T00:00:00Z" 2064 message: Waiting for controller 2065 reason: Pending 2066 status: Unknown 2067 type: Accepted 2068 - lastTransitionTime: "1970-01-01T00:00:00Z" 2069 message: Waiting for controller 2070 reason: Pending 2071 status: Unknown 2072 type: Programmed 2073 description: Status defines the current state of Gateway. 2074 properties: 2075 addresses: 2076 description: |+ 2077 Addresses lists the network addresses that have been bound to the 2078 Gateway. 2079 2080 2081 This list may differ from the addresses provided in the spec under some 2082 conditions: 2083 2084 2085 * no addresses are specified, all addresses are dynamically assigned 2086 * a combination of specified and dynamic addresses are assigned 2087 * a specified address was unusable (e.g. already in use) 2088 2089 2090 items: 2091 description: GatewayStatusAddress describes a network address that 2092 is bound to a Gateway. 2093 oneOf: 2094 - properties: 2095 type: 2096 enum: 2097 - IPAddress 2098 value: 2099 anyOf: 2100 - format: ipv4 2101 - format: ipv6 2102 - properties: 2103 type: 2104 not: 2105 enum: 2106 - IPAddress 2107 properties: 2108 type: 2109 default: IPAddress 2110 description: Type of the address. 2111 maxLength: 253 2112 minLength: 1 2113 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 2114 type: string 2115 value: 2116 description: |- 2117 Value of the address. The validity of the values will depend 2118 on the type and support by the controller. 2119 2120 2121 Examples: `1.2.3.4`, `128::1`, `my-ip-address`. 2122 maxLength: 253 2123 minLength: 1 2124 type: string 2125 required: 2126 - value 2127 type: object 2128 x-kubernetes-validations: 2129 - message: Hostname value must only contain valid characters (matching 2130 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 2131 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 2132 true' 2133 maxItems: 16 2134 type: array 2135 conditions: 2136 default: 2137 - lastTransitionTime: "1970-01-01T00:00:00Z" 2138 message: Waiting for controller 2139 reason: Pending 2140 status: Unknown 2141 type: Accepted 2142 - lastTransitionTime: "1970-01-01T00:00:00Z" 2143 message: Waiting for controller 2144 reason: Pending 2145 status: Unknown 2146 type: Programmed 2147 description: |- 2148 Conditions describe the current conditions of the Gateway. 2149 2150 2151 Implementations should prefer to express Gateway conditions 2152 using the `GatewayConditionType` and `GatewayConditionReason` 2153 constants so that operators and tools can converge on a common 2154 vocabulary to describe Gateway state. 2155 2156 2157 Known condition types are: 2158 2159 2160 * "Accepted" 2161 * "Programmed" 2162 * "Ready" 2163 items: 2164 description: "Condition contains details for one aspect of the current 2165 state of this API Resource.\n---\nThis struct is intended for 2166 direct use as an array at the field path .status.conditions. For 2167 example,\n\n\n\ttype FooStatus struct{\n\t // Represents the 2168 observations of a foo's current state.\n\t // Known .status.conditions.type 2169 are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // 2170 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t 2171 \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" 2172 patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 2173 \ // other fields\n\t}" 2174 properties: 2175 lastTransitionTime: 2176 description: |- 2177 lastTransitionTime is the last time the condition transitioned from one status to another. 2178 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 2179 format: date-time 2180 type: string 2181 message: 2182 description: |- 2183 message is a human readable message indicating details about the transition. 2184 This may be an empty string. 2185 maxLength: 32768 2186 type: string 2187 observedGeneration: 2188 description: |- 2189 observedGeneration represents the .metadata.generation that the condition was set based upon. 2190 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 2191 with respect to the current state of the instance. 2192 format: int64 2193 minimum: 0 2194 type: integer 2195 reason: 2196 description: |- 2197 reason contains a programmatic identifier indicating the reason for the condition's last transition. 2198 Producers of specific condition types may define expected values and meanings for this field, 2199 and whether the values are considered a guaranteed API. 2200 The value should be a CamelCase string. 2201 This field may not be empty. 2202 maxLength: 1024 2203 minLength: 1 2204 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 2205 type: string 2206 status: 2207 description: status of the condition, one of True, False, Unknown. 2208 enum: 2209 - "True" 2210 - "False" 2211 - Unknown 2212 type: string 2213 type: 2214 description: |- 2215 type of condition in CamelCase or in foo.example.com/CamelCase. 2216 --- 2217 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 2218 useful (see .node.status.conditions), the ability to deconflict is important. 2219 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 2220 maxLength: 316 2221 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 2222 type: string 2223 required: 2224 - lastTransitionTime 2225 - message 2226 - reason 2227 - status 2228 - type 2229 type: object 2230 maxItems: 8 2231 type: array 2232 x-kubernetes-list-map-keys: 2233 - type 2234 x-kubernetes-list-type: map 2235 listeners: 2236 description: Listeners provide status for each unique listener port 2237 defined in the Spec. 2238 items: 2239 description: ListenerStatus is the status associated with a Listener. 2240 properties: 2241 attachedRoutes: 2242 description: |- 2243 AttachedRoutes represents the total number of Routes that have been 2244 successfully attached to this Listener. 2245 2246 2247 Successful attachment of a Route to a Listener is based solely on the 2248 combination of the AllowedRoutes field on the corresponding Listener 2249 and the Route's ParentRefs field. A Route is successfully attached to 2250 a Listener when it is selected by the Listener's AllowedRoutes field 2251 AND the Route has a valid ParentRef selecting the whole Gateway 2252 resource or a specific Listener as a parent resource (more detail on 2253 attachment semantics can be found in the documentation on the various 2254 Route kinds ParentRefs fields). Listener or Route status does not impact 2255 successful attachment, i.e. the AttachedRoutes field count MUST be set 2256 for Listeners with condition Accepted: false and MUST count successfully 2257 attached Routes that may themselves have Accepted: false conditions. 2258 2259 2260 Uses for this field include troubleshooting Route attachment and 2261 measuring blast radius/impact of changes to a Listener. 2262 format: int32 2263 type: integer 2264 conditions: 2265 description: Conditions describe the current condition of this 2266 listener. 2267 items: 2268 description: "Condition contains details for one aspect of 2269 the current state of this API Resource.\n---\nThis struct 2270 is intended for direct use as an array at the field path 2271 .status.conditions. For example,\n\n\n\ttype FooStatus 2272 struct{\n\t // Represents the observations of a foo's 2273 current state.\n\t // Known .status.conditions.type are: 2274 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 2275 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 2276 +listType=map\n\t // +listMapKey=type\n\t Conditions 2277 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 2278 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 2279 \ // other fields\n\t}" 2280 properties: 2281 lastTransitionTime: 2282 description: |- 2283 lastTransitionTime is the last time the condition transitioned from one status to another. 2284 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 2285 format: date-time 2286 type: string 2287 message: 2288 description: |- 2289 message is a human readable message indicating details about the transition. 2290 This may be an empty string. 2291 maxLength: 32768 2292 type: string 2293 observedGeneration: 2294 description: |- 2295 observedGeneration represents the .metadata.generation that the condition was set based upon. 2296 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 2297 with respect to the current state of the instance. 2298 format: int64 2299 minimum: 0 2300 type: integer 2301 reason: 2302 description: |- 2303 reason contains a programmatic identifier indicating the reason for the condition's last transition. 2304 Producers of specific condition types may define expected values and meanings for this field, 2305 and whether the values are considered a guaranteed API. 2306 The value should be a CamelCase string. 2307 This field may not be empty. 2308 maxLength: 1024 2309 minLength: 1 2310 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 2311 type: string 2312 status: 2313 description: status of the condition, one of True, False, 2314 Unknown. 2315 enum: 2316 - "True" 2317 - "False" 2318 - Unknown 2319 type: string 2320 type: 2321 description: |- 2322 type of condition in CamelCase or in foo.example.com/CamelCase. 2323 --- 2324 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 2325 useful (see .node.status.conditions), the ability to deconflict is important. 2326 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 2327 maxLength: 316 2328 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 2329 type: string 2330 required: 2331 - lastTransitionTime 2332 - message 2333 - reason 2334 - status 2335 - type 2336 type: object 2337 maxItems: 8 2338 type: array 2339 x-kubernetes-list-map-keys: 2340 - type 2341 x-kubernetes-list-type: map 2342 name: 2343 description: Name is the name of the Listener that this status 2344 corresponds to. 2345 maxLength: 253 2346 minLength: 1 2347 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2348 type: string 2349 supportedKinds: 2350 description: |- 2351 SupportedKinds is the list indicating the Kinds supported by this 2352 listener. This MUST represent the kinds an implementation supports for 2353 that Listener configuration. 2354 2355 2356 If kinds are specified in Spec that are not supported, they MUST NOT 2357 appear in this list and an implementation MUST set the "ResolvedRefs" 2358 condition to "False" with the "InvalidRouteKinds" reason. If both valid 2359 and invalid Route kinds are specified, the implementation MUST 2360 reference the valid Route kinds that have been specified. 2361 items: 2362 description: RouteGroupKind indicates the group and kind of 2363 a Route resource. 2364 properties: 2365 group: 2366 default: gateway.networking.k8s.io 2367 description: Group is the group of the Route. 2368 maxLength: 253 2369 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2370 type: string 2371 kind: 2372 description: Kind is the kind of the Route. 2373 maxLength: 63 2374 minLength: 1 2375 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 2376 type: string 2377 required: 2378 - kind 2379 type: object 2380 maxItems: 8 2381 type: array 2382 required: 2383 - attachedRoutes 2384 - conditions 2385 - name 2386 - supportedKinds 2387 type: object 2388 maxItems: 64 2389 type: array 2390 x-kubernetes-list-map-keys: 2391 - name 2392 x-kubernetes-list-type: map 2393 type: object 2394 required: 2395 - spec 2396 type: object 2397 served: true 2398 storage: true 2399 subresources: 2400 status: {} 2401 - additionalPrinterColumns: 2402 - jsonPath: .spec.gatewayClassName 2403 name: Class 2404 type: string 2405 - jsonPath: .status.addresses[*].value 2406 name: Address 2407 type: string 2408 - jsonPath: .status.conditions[?(@.type=="Programmed")].status 2409 name: Programmed 2410 type: string 2411 - jsonPath: .metadata.creationTimestamp 2412 name: Age 2413 type: date 2414 name: v1beta1 2415 schema: 2416 openAPIV3Schema: 2417 description: |- 2418 Gateway represents an instance of a service-traffic handling infrastructure 2419 by binding Listeners to a set of IP addresses. 2420 properties: 2421 apiVersion: 2422 description: |- 2423 APIVersion defines the versioned schema of this representation of an object. 2424 Servers should convert recognized schemas to the latest internal value, and 2425 may reject unrecognized values. 2426 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 2427 type: string 2428 kind: 2429 description: |- 2430 Kind is a string value representing the REST resource this object represents. 2431 Servers may infer this from the endpoint the client submits requests to. 2432 Cannot be updated. 2433 In CamelCase. 2434 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 2435 type: string 2436 metadata: 2437 type: object 2438 spec: 2439 description: Spec defines the desired state of Gateway. 2440 properties: 2441 addresses: 2442 description: |+ 2443 Addresses requested for this Gateway. This is optional and behavior can 2444 depend on the implementation. If a value is set in the spec and the 2445 requested address is invalid or unavailable, the implementation MUST 2446 indicate this in the associated entry in GatewayStatus.Addresses. 2447 2448 2449 The Addresses field represents a request for the address(es) on the 2450 "outside of the Gateway", that traffic bound for this Gateway will use. 2451 This could be the IP address or hostname of an external load balancer or 2452 other networking infrastructure, or some other address that traffic will 2453 be sent to. 2454 2455 2456 If no Addresses are specified, the implementation MAY schedule the 2457 Gateway in an implementation-specific manner, assigning an appropriate 2458 set of Addresses. 2459 2460 2461 The implementation MUST bind all Listeners to every GatewayAddress that 2462 it assigns to the Gateway and add a corresponding entry in 2463 GatewayStatus.Addresses. 2464 2465 2466 Support: Extended 2467 2468 2469 items: 2470 description: GatewayAddress describes an address that can be bound 2471 to a Gateway. 2472 oneOf: 2473 - properties: 2474 type: 2475 enum: 2476 - IPAddress 2477 value: 2478 anyOf: 2479 - format: ipv4 2480 - format: ipv6 2481 - properties: 2482 type: 2483 not: 2484 enum: 2485 - IPAddress 2486 properties: 2487 type: 2488 default: IPAddress 2489 description: Type of the address. 2490 maxLength: 253 2491 minLength: 1 2492 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 2493 type: string 2494 value: 2495 description: |- 2496 Value of the address. The validity of the values will depend 2497 on the type and support by the controller. 2498 2499 2500 Examples: `1.2.3.4`, `128::1`, `my-ip-address`. 2501 maxLength: 253 2502 minLength: 1 2503 type: string 2504 required: 2505 - value 2506 type: object 2507 x-kubernetes-validations: 2508 - message: Hostname value must only contain valid characters (matching 2509 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 2510 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 2511 true' 2512 maxItems: 16 2513 type: array 2514 x-kubernetes-validations: 2515 - message: IPAddress values must be unique 2516 rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, 2517 a2.type == a1.type && a2.value == a1.value) : true )' 2518 - message: Hostname values must be unique 2519 rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, 2520 a2.type == a1.type && a2.value == a1.value) : true )' 2521 gatewayClassName: 2522 description: |- 2523 GatewayClassName used for this Gateway. This is the name of a 2524 GatewayClass resource. 2525 maxLength: 253 2526 minLength: 1 2527 type: string 2528 infrastructure: 2529 description: |+ 2530 Infrastructure defines infrastructure level attributes about this Gateway instance. 2531 2532 2533 Support: Core 2534 2535 2536 properties: 2537 annotations: 2538 additionalProperties: 2539 description: |- 2540 AnnotationValue is the value of an annotation in Gateway API. This is used 2541 for validation of maps such as TLS options. This roughly matches Kubernetes 2542 annotation validation, although the length validation in that case is based 2543 on the entire size of the annotations struct. 2544 maxLength: 4096 2545 minLength: 0 2546 type: string 2547 description: |- 2548 Annotations that SHOULD be applied to any resources created in response to this Gateway. 2549 2550 2551 For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. 2552 For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. 2553 2554 2555 An implementation may chose to add additional implementation-specific annotations as they see fit. 2556 2557 2558 Support: Extended 2559 maxProperties: 8 2560 type: object 2561 labels: 2562 additionalProperties: 2563 description: |- 2564 AnnotationValue is the value of an annotation in Gateway API. This is used 2565 for validation of maps such as TLS options. This roughly matches Kubernetes 2566 annotation validation, although the length validation in that case is based 2567 on the entire size of the annotations struct. 2568 maxLength: 4096 2569 minLength: 0 2570 type: string 2571 description: |- 2572 Labels that SHOULD be applied to any resources created in response to this Gateway. 2573 2574 2575 For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. 2576 For other implementations, this refers to any relevant (implementation specific) "labels" concepts. 2577 2578 2579 An implementation may chose to add additional implementation-specific labels as they see fit. 2580 2581 2582 Support: Extended 2583 maxProperties: 8 2584 type: object 2585 parametersRef: 2586 description: |- 2587 ParametersRef is a reference to a resource that contains the configuration 2588 parameters corresponding to the Gateway. This is optional if the 2589 controller does not require any additional configuration. 2590 2591 2592 This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis 2593 2594 2595 The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, 2596 the merging behavior is implementation specific. 2597 It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. 2598 2599 2600 Support: Implementation-specific 2601 properties: 2602 group: 2603 description: Group is the group of the referent. 2604 maxLength: 253 2605 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2606 type: string 2607 kind: 2608 description: Kind is kind of the referent. 2609 maxLength: 63 2610 minLength: 1 2611 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 2612 type: string 2613 name: 2614 description: Name is the name of the referent. 2615 maxLength: 253 2616 minLength: 1 2617 type: string 2618 required: 2619 - group 2620 - kind 2621 - name 2622 type: object 2623 type: object 2624 listeners: 2625 description: |- 2626 Listeners associated with this Gateway. Listeners define 2627 logical endpoints that are bound on this Gateway's addresses. 2628 At least one Listener MUST be specified. 2629 2630 2631 Each Listener in a set of Listeners (for example, in a single Gateway) 2632 MUST be _distinct_, in that a traffic flow MUST be able to be assigned to 2633 exactly one listener. (This section uses "set of Listeners" rather than 2634 "Listeners in a single Gateway" because implementations MAY merge configuration 2635 from multiple Gateways onto a single data plane, and these rules _also_ 2636 apply in that case). 2637 2638 2639 Practically, this means that each listener in a set MUST have a unique 2640 combination of Port, Protocol, and, if supported by the protocol, Hostname. 2641 2642 2643 Some combinations of port, protocol, and TLS settings are considered 2644 Core support and MUST be supported by implementations based on their 2645 targeted conformance profile: 2646 2647 2648 HTTP Profile 2649 2650 2651 1. HTTPRoute, Port: 80, Protocol: HTTP 2652 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided 2653 2654 2655 TLS Profile 2656 2657 2658 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough 2659 2660 2661 "Distinct" Listeners have the following property: 2662 2663 2664 The implementation can match inbound requests to a single distinct 2665 Listener. When multiple Listeners share values for fields (for 2666 example, two Listeners with the same Port value), the implementation 2667 can match requests to only one of the Listeners using other 2668 Listener fields. 2669 2670 2671 For example, the following Listener scenarios are distinct: 2672 2673 2674 1. Multiple Listeners with the same Port that all use the "HTTP" 2675 Protocol that all have unique Hostname values. 2676 2. Multiple Listeners with the same Port that use either the "HTTPS" or 2677 "TLS" Protocol that all have unique Hostname values. 2678 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener 2679 with the same Protocol has the same Port value. 2680 2681 2682 Some fields in the Listener struct have possible values that affect 2683 whether the Listener is distinct. Hostname is particularly relevant 2684 for HTTP or HTTPS protocols. 2685 2686 2687 When using the Hostname value to select between same-Port, same-Protocol 2688 Listeners, the Hostname value must be different on each Listener for the 2689 Listener to be distinct. 2690 2691 2692 When the Listeners are distinct based on Hostname, inbound request 2693 hostnames MUST match from the most specific to least specific Hostname 2694 values to choose the correct Listener and its associated set of Routes. 2695 2696 2697 Exact matches must be processed before wildcard matches, and wildcard 2698 matches must be processed before fallback (empty Hostname value) 2699 matches. For example, `"foo.example.com"` takes precedence over 2700 `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. 2701 2702 2703 Additionally, if there are multiple wildcard entries, more specific 2704 wildcard entries must be processed before less specific wildcard entries. 2705 For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. 2706 The precise definition here is that the higher the number of dots in the 2707 hostname to the right of the wildcard character, the higher the precedence. 2708 2709 2710 The wildcard character will match any number of characters _and dots_ to 2711 the left, however, so `"*.example.com"` will match both 2712 `"foo.bar.example.com"` _and_ `"bar.example.com"`. 2713 2714 2715 If a set of Listeners contains Listeners that are not distinct, then those 2716 Listeners are Conflicted, and the implementation MUST set the "Conflicted" 2717 condition in the Listener Status to "True". 2718 2719 2720 Implementations MAY choose to accept a Gateway with some Conflicted 2721 Listeners only if they only accept the partial Listener set that contains 2722 no Conflicted Listeners. To put this another way, implementations may 2723 accept a partial Listener set only if they throw out *all* the conflicting 2724 Listeners. No picking one of the conflicting listeners as the winner. 2725 This also means that the Gateway must have at least one non-conflicting 2726 Listener in this case, otherwise it violates the requirement that at 2727 least one Listener must be present. 2728 2729 2730 The implementation MUST set a "ListenersNotValid" condition on the 2731 Gateway Status when the Gateway contains Conflicted Listeners whether or 2732 not they accept the Gateway. That Condition SHOULD clearly 2733 indicate in the Message which Listeners are conflicted, and which are 2734 Accepted. Additionally, the Listener status for those listeners SHOULD 2735 indicate which Listeners are conflicted and not Accepted. 2736 2737 2738 A Gateway's Listeners are considered "compatible" if: 2739 2740 2741 1. They are distinct. 2742 2. The implementation can serve them in compliance with the Addresses 2743 requirement that all Listeners are available on all assigned 2744 addresses. 2745 2746 2747 Compatible combinations in Extended support are expected to vary across 2748 implementations. A combination that is compatible for one implementation 2749 may not be compatible for another. 2750 2751 2752 For example, an implementation that cannot serve both TCP and UDP listeners 2753 on the same address, or cannot mix HTTPS and generic TLS listens on the same port 2754 would not consider those cases compatible, even though they are distinct. 2755 2756 2757 Note that requests SHOULD match at most one Listener. For example, if 2758 Listeners are defined for "foo.example.com" and "*.example.com", a 2759 request to "foo.example.com" SHOULD only be routed using routes attached 2760 to the "foo.example.com" Listener (and not the "*.example.com" Listener). 2761 This concept is known as "Listener Isolation". Implementations that do 2762 not support Listener Isolation MUST clearly document this. 2763 2764 2765 Implementations MAY merge separate Gateways onto a single set of 2766 Addresses if all Listeners across all Gateways are compatible. 2767 2768 2769 Support: Core 2770 items: 2771 description: |- 2772 Listener embodies the concept of a logical endpoint where a Gateway accepts 2773 network connections. 2774 properties: 2775 allowedRoutes: 2776 default: 2777 namespaces: 2778 from: Same 2779 description: |- 2780 AllowedRoutes defines the types of routes that MAY be attached to a 2781 Listener and the trusted namespaces where those Route resources MAY be 2782 present. 2783 2784 2785 Although a client request may match multiple route rules, only one rule 2786 may ultimately receive the request. Matching precedence MUST be 2787 determined in order of the following criteria: 2788 2789 2790 * The most specific match as defined by the Route type. 2791 * The oldest Route based on creation timestamp. For example, a Route with 2792 a creation timestamp of "2020-09-08 01:02:03" is given precedence over 2793 a Route with a creation timestamp of "2020-09-08 01:02:04". 2794 * If everything else is equivalent, the Route appearing first in 2795 alphabetical order (namespace/name) should be given precedence. For 2796 example, foo/bar is given precedence over foo/baz. 2797 2798 2799 All valid rules within a Route attached to this Listener should be 2800 implemented. Invalid Route rules can be ignored (sometimes that will mean 2801 the full Route). If a Route rule transitions from valid to invalid, 2802 support for that Route rule should be dropped to ensure consistency. For 2803 example, even if a filter specified by a Route rule is invalid, the rest 2804 of the rules within that Route should still be supported. 2805 2806 2807 Support: Core 2808 properties: 2809 kinds: 2810 description: |- 2811 Kinds specifies the groups and kinds of Routes that are allowed to bind 2812 to this Gateway Listener. When unspecified or empty, the kinds of Routes 2813 selected are determined using the Listener protocol. 2814 2815 2816 A RouteGroupKind MUST correspond to kinds of Routes that are compatible 2817 with the application protocol specified in the Listener's Protocol field. 2818 If an implementation does not support or recognize this resource type, it 2819 MUST set the "ResolvedRefs" condition to False for this Listener with the 2820 "InvalidRouteKinds" reason. 2821 2822 2823 Support: Core 2824 items: 2825 description: RouteGroupKind indicates the group and kind 2826 of a Route resource. 2827 properties: 2828 group: 2829 default: gateway.networking.k8s.io 2830 description: Group is the group of the Route. 2831 maxLength: 253 2832 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2833 type: string 2834 kind: 2835 description: Kind is the kind of the Route. 2836 maxLength: 63 2837 minLength: 1 2838 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 2839 type: string 2840 required: 2841 - kind 2842 type: object 2843 maxItems: 8 2844 type: array 2845 namespaces: 2846 default: 2847 from: Same 2848 description: |- 2849 Namespaces indicates namespaces from which Routes may be attached to this 2850 Listener. This is restricted to the namespace of this Gateway by default. 2851 2852 2853 Support: Core 2854 properties: 2855 from: 2856 default: Same 2857 description: |- 2858 From indicates where Routes will be selected for this Gateway. Possible 2859 values are: 2860 2861 2862 * All: Routes in all namespaces may be used by this Gateway. 2863 * Selector: Routes in namespaces selected by the selector may be used by 2864 this Gateway. 2865 * Same: Only Routes in the same namespace may be used by this Gateway. 2866 2867 2868 Support: Core 2869 enum: 2870 - All 2871 - Selector 2872 - Same 2873 type: string 2874 selector: 2875 description: |- 2876 Selector must be specified when From is set to "Selector". In that case, 2877 only Routes in Namespaces matching this Selector will be selected by this 2878 Gateway. This field is ignored for other values of "From". 2879 2880 2881 Support: Core 2882 properties: 2883 matchExpressions: 2884 description: matchExpressions is a list of label 2885 selector requirements. The requirements are ANDed. 2886 items: 2887 description: |- 2888 A label selector requirement is a selector that contains values, a key, and an operator that 2889 relates the key and values. 2890 properties: 2891 key: 2892 description: key is the label key that the 2893 selector applies to. 2894 type: string 2895 operator: 2896 description: |- 2897 operator represents a key's relationship to a set of values. 2898 Valid operators are In, NotIn, Exists and DoesNotExist. 2899 type: string 2900 values: 2901 description: |- 2902 values is an array of string values. If the operator is In or NotIn, 2903 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2904 the values array must be empty. This array is replaced during a strategic 2905 merge patch. 2906 items: 2907 type: string 2908 type: array 2909 x-kubernetes-list-type: atomic 2910 required: 2911 - key 2912 - operator 2913 type: object 2914 type: array 2915 x-kubernetes-list-type: atomic 2916 matchLabels: 2917 additionalProperties: 2918 type: string 2919 description: |- 2920 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2921 map is equivalent to an element of matchExpressions, whose key field is "key", the 2922 operator is "In", and the values array contains only "value". The requirements are ANDed. 2923 type: object 2924 type: object 2925 x-kubernetes-map-type: atomic 2926 type: object 2927 type: object 2928 hostname: 2929 description: |- 2930 Hostname specifies the virtual hostname to match for protocol types that 2931 define this concept. When unspecified, all hostnames are matched. This 2932 field is ignored for protocols that don't require hostname based 2933 matching. 2934 2935 2936 Implementations MUST apply Hostname matching appropriately for each of 2937 the following protocols: 2938 2939 2940 * TLS: The Listener Hostname MUST match the SNI. 2941 * HTTP: The Listener Hostname MUST match the Host header of the request. 2942 * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP 2943 protocol layers as described above. If an implementation does not 2944 ensure that both the SNI and Host header match the Listener hostname, 2945 it MUST clearly document that. 2946 2947 2948 For HTTPRoute and TLSRoute resources, there is an interaction with the 2949 `spec.hostnames` array. When both listener and route specify hostnames, 2950 there MUST be an intersection between the values for a Route to be 2951 accepted. For more information, refer to the Route specific Hostnames 2952 documentation. 2953 2954 2955 Hostnames that are prefixed with a wildcard label (`*.`) are interpreted 2956 as a suffix match. That means that a match for `*.example.com` would match 2957 both `test.example.com`, and `foo.test.example.com`, but not `example.com`. 2958 2959 2960 Support: Core 2961 maxLength: 253 2962 minLength: 1 2963 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2964 type: string 2965 name: 2966 description: |- 2967 Name is the name of the Listener. This name MUST be unique within a 2968 Gateway. 2969 2970 2971 Support: Core 2972 maxLength: 253 2973 minLength: 1 2974 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2975 type: string 2976 port: 2977 description: |- 2978 Port is the network port. Multiple listeners may use the 2979 same port, subject to the Listener compatibility rules. 2980 2981 2982 Support: Core 2983 format: int32 2984 maximum: 65535 2985 minimum: 1 2986 type: integer 2987 protocol: 2988 description: |- 2989 Protocol specifies the network protocol this listener expects to receive. 2990 2991 2992 Support: Core 2993 maxLength: 255 2994 minLength: 1 2995 pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ 2996 type: string 2997 tls: 2998 description: |- 2999 TLS is the TLS configuration for the Listener. This field is required if 3000 the Protocol field is "HTTPS" or "TLS". It is invalid to set this field 3001 if the Protocol field is "HTTP", "TCP", or "UDP". 3002 3003 3004 The association of SNIs to Certificate defined in GatewayTLSConfig is 3005 defined based on the Hostname field for this listener. 3006 3007 3008 The GatewayClass MUST use the longest matching SNI out of all 3009 available certificates for any TLS handshake. 3010 3011 3012 Support: Core 3013 properties: 3014 certificateRefs: 3015 description: |- 3016 CertificateRefs contains a series of references to Kubernetes objects that 3017 contains TLS certificates and private keys. These certificates are used to 3018 establish a TLS handshake for requests that match the hostname of the 3019 associated listener. 3020 3021 3022 A single CertificateRef to a Kubernetes Secret has "Core" support. 3023 Implementations MAY choose to support attaching multiple certificates to 3024 a Listener, but this behavior is implementation-specific. 3025 3026 3027 References to a resource in different namespace are invalid UNLESS there 3028 is a ReferenceGrant in the target namespace that allows the certificate 3029 to be attached. If a ReferenceGrant does not allow this reference, the 3030 "ResolvedRefs" condition MUST be set to False for this listener with the 3031 "RefNotPermitted" reason. 3032 3033 3034 This field is required to have at least one element when the mode is set 3035 to "Terminate" (default) and is optional otherwise. 3036 3037 3038 CertificateRefs can reference to standard Kubernetes resources, i.e. 3039 Secret, or implementation-specific custom resources. 3040 3041 3042 Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls 3043 3044 3045 Support: Implementation-specific (More than one reference or other resource types) 3046 items: 3047 description: |- 3048 SecretObjectReference identifies an API object including its namespace, 3049 defaulting to Secret. 3050 3051 3052 The API object must be valid in the cluster; the Group and Kind must 3053 be registered in the cluster for this reference to be valid. 3054 3055 3056 References to objects with invalid Group and Kind are not valid, and must 3057 be rejected by the implementation, with appropriate Conditions set 3058 on the containing object. 3059 properties: 3060 group: 3061 default: "" 3062 description: |- 3063 Group is the group of the referent. For example, "gateway.networking.k8s.io". 3064 When unspecified or empty string, core API group is inferred. 3065 maxLength: 253 3066 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3067 type: string 3068 kind: 3069 default: Secret 3070 description: Kind is kind of the referent. For example 3071 "Secret". 3072 maxLength: 63 3073 minLength: 1 3074 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3075 type: string 3076 name: 3077 description: Name is the name of the referent. 3078 maxLength: 253 3079 minLength: 1 3080 type: string 3081 namespace: 3082 description: |- 3083 Namespace is the namespace of the referenced object. When unspecified, the local 3084 namespace is inferred. 3085 3086 3087 Note that when a namespace different than the local namespace is specified, 3088 a ReferenceGrant object is required in the referent namespace to allow that 3089 namespace's owner to accept the reference. See the ReferenceGrant 3090 documentation for details. 3091 3092 3093 Support: Core 3094 maxLength: 63 3095 minLength: 1 3096 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 3097 type: string 3098 required: 3099 - name 3100 type: object 3101 maxItems: 64 3102 type: array 3103 frontendValidation: 3104 description: |+ 3105 FrontendValidation holds configuration information for validating the frontend (client). 3106 Setting this field will require clients to send a client certificate 3107 required for validation during the TLS handshake. In browsers this may result in a dialog appearing 3108 that requests a user to specify the client certificate. 3109 The maximum depth of a certificate chain accepted in verification is Implementation specific. 3110 3111 3112 Support: Extended 3113 3114 3115 properties: 3116 caCertificateRefs: 3117 description: |- 3118 CACertificateRefs contains one or more references to 3119 Kubernetes objects that contain TLS certificates of 3120 the Certificate Authorities that can be used 3121 as a trust anchor to validate the certificates presented by the client. 3122 3123 3124 A single CA certificate reference to a Kubernetes ConfigMap 3125 has "Core" support. 3126 Implementations MAY choose to support attaching multiple CA certificates to 3127 a Listener, but this behavior is implementation-specific. 3128 3129 3130 Support: Core - A single reference to a Kubernetes ConfigMap 3131 with the CA certificate in a key named `ca.crt`. 3132 3133 3134 Support: Implementation-specific (More than one reference, or other kinds 3135 of resources). 3136 3137 3138 References to a resource in a different namespace are invalid UNLESS there 3139 is a ReferenceGrant in the target namespace that allows the certificate 3140 to be attached. If a ReferenceGrant does not allow this reference, the 3141 "ResolvedRefs" condition MUST be set to False for this listener with the 3142 "RefNotPermitted" reason. 3143 items: 3144 description: |- 3145 ObjectReference identifies an API object including its namespace. 3146 3147 3148 The API object must be valid in the cluster; the Group and Kind must 3149 be registered in the cluster for this reference to be valid. 3150 3151 3152 References to objects with invalid Group and Kind are not valid, and must 3153 be rejected by the implementation, with appropriate Conditions set 3154 on the containing object. 3155 properties: 3156 group: 3157 description: |- 3158 Group is the group of the referent. For example, "gateway.networking.k8s.io". 3159 When unspecified or empty string, core API group is inferred. 3160 maxLength: 253 3161 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3162 type: string 3163 kind: 3164 description: Kind is kind of the referent. For 3165 example "ConfigMap" or "Service". 3166 maxLength: 63 3167 minLength: 1 3168 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3169 type: string 3170 name: 3171 description: Name is the name of the referent. 3172 maxLength: 253 3173 minLength: 1 3174 type: string 3175 namespace: 3176 description: |- 3177 Namespace is the namespace of the referenced object. When unspecified, the local 3178 namespace is inferred. 3179 3180 3181 Note that when a namespace different than the local namespace is specified, 3182 a ReferenceGrant object is required in the referent namespace to allow that 3183 namespace's owner to accept the reference. See the ReferenceGrant 3184 documentation for details. 3185 3186 3187 Support: Core 3188 maxLength: 63 3189 minLength: 1 3190 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 3191 type: string 3192 required: 3193 - group 3194 - kind 3195 - name 3196 type: object 3197 maxItems: 8 3198 minItems: 1 3199 type: array 3200 type: object 3201 mode: 3202 default: Terminate 3203 description: |- 3204 Mode defines the TLS behavior for the TLS session initiated by the client. 3205 There are two possible modes: 3206 3207 3208 - Terminate: The TLS session between the downstream client and the 3209 Gateway is terminated at the Gateway. This mode requires certificates 3210 to be specified in some way, such as populating the certificateRefs 3211 field. 3212 - Passthrough: The TLS session is NOT terminated by the Gateway. This 3213 implies that the Gateway can't decipher the TLS stream except for 3214 the ClientHello message of the TLS protocol. The certificateRefs field 3215 is ignored in this mode. 3216 3217 3218 Support: Core 3219 enum: 3220 - Terminate 3221 - Passthrough 3222 type: string 3223 options: 3224 additionalProperties: 3225 description: |- 3226 AnnotationValue is the value of an annotation in Gateway API. This is used 3227 for validation of maps such as TLS options. This roughly matches Kubernetes 3228 annotation validation, although the length validation in that case is based 3229 on the entire size of the annotations struct. 3230 maxLength: 4096 3231 minLength: 0 3232 type: string 3233 description: |- 3234 Options are a list of key/value pairs to enable extended TLS 3235 configuration for each implementation. For example, configuring the 3236 minimum TLS version or supported cipher suites. 3237 3238 3239 A set of common keys MAY be defined by the API in the future. To avoid 3240 any ambiguity, implementation-specific definitions MUST use 3241 domain-prefixed names, such as `example.com/my-custom-option`. 3242 Un-prefixed names are reserved for key names defined by Gateway API. 3243 3244 3245 Support: Implementation-specific 3246 maxProperties: 16 3247 type: object 3248 type: object 3249 x-kubernetes-validations: 3250 - message: certificateRefs or options must be specified when 3251 mode is Terminate 3252 rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) 3253 > 0 || size(self.options) > 0 : true' 3254 required: 3255 - name 3256 - port 3257 - protocol 3258 type: object 3259 maxItems: 64 3260 minItems: 1 3261 type: array 3262 x-kubernetes-list-map-keys: 3263 - name 3264 x-kubernetes-list-type: map 3265 x-kubernetes-validations: 3266 - message: tls must not be specified for protocols ['HTTP', 'TCP', 3267 'UDP'] 3268 rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? 3269 !has(l.tls) : true)' 3270 - message: tls mode must be Terminate for protocol HTTPS 3271 rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode 3272 == '''' || l.tls.mode == ''Terminate'') : true)' 3273 - message: hostname must not be specified for protocols ['TCP', 'UDP'] 3274 rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) 3275 || l.hostname == '''') : true)' 3276 - message: Listener name must be unique within the Gateway 3277 rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) 3278 - message: Combination of port, protocol and hostname must be unique 3279 for each listener 3280 rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol 3281 == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname 3282 == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' 3283 required: 3284 - gatewayClassName 3285 - listeners 3286 type: object 3287 status: 3288 default: 3289 conditions: 3290 - lastTransitionTime: "1970-01-01T00:00:00Z" 3291 message: Waiting for controller 3292 reason: Pending 3293 status: Unknown 3294 type: Accepted 3295 - lastTransitionTime: "1970-01-01T00:00:00Z" 3296 message: Waiting for controller 3297 reason: Pending 3298 status: Unknown 3299 type: Programmed 3300 description: Status defines the current state of Gateway. 3301 properties: 3302 addresses: 3303 description: |+ 3304 Addresses lists the network addresses that have been bound to the 3305 Gateway. 3306 3307 3308 This list may differ from the addresses provided in the spec under some 3309 conditions: 3310 3311 3312 * no addresses are specified, all addresses are dynamically assigned 3313 * a combination of specified and dynamic addresses are assigned 3314 * a specified address was unusable (e.g. already in use) 3315 3316 3317 items: 3318 description: GatewayStatusAddress describes a network address that 3319 is bound to a Gateway. 3320 oneOf: 3321 - properties: 3322 type: 3323 enum: 3324 - IPAddress 3325 value: 3326 anyOf: 3327 - format: ipv4 3328 - format: ipv6 3329 - properties: 3330 type: 3331 not: 3332 enum: 3333 - IPAddress 3334 properties: 3335 type: 3336 default: IPAddress 3337 description: Type of the address. 3338 maxLength: 253 3339 minLength: 1 3340 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 3341 type: string 3342 value: 3343 description: |- 3344 Value of the address. The validity of the values will depend 3345 on the type and support by the controller. 3346 3347 3348 Examples: `1.2.3.4`, `128::1`, `my-ip-address`. 3349 maxLength: 253 3350 minLength: 1 3351 type: string 3352 required: 3353 - value 3354 type: object 3355 x-kubernetes-validations: 3356 - message: Hostname value must only contain valid characters (matching 3357 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 3358 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 3359 true' 3360 maxItems: 16 3361 type: array 3362 conditions: 3363 default: 3364 - lastTransitionTime: "1970-01-01T00:00:00Z" 3365 message: Waiting for controller 3366 reason: Pending 3367 status: Unknown 3368 type: Accepted 3369 - lastTransitionTime: "1970-01-01T00:00:00Z" 3370 message: Waiting for controller 3371 reason: Pending 3372 status: Unknown 3373 type: Programmed 3374 description: |- 3375 Conditions describe the current conditions of the Gateway. 3376 3377 3378 Implementations should prefer to express Gateway conditions 3379 using the `GatewayConditionType` and `GatewayConditionReason` 3380 constants so that operators and tools can converge on a common 3381 vocabulary to describe Gateway state. 3382 3383 3384 Known condition types are: 3385 3386 3387 * "Accepted" 3388 * "Programmed" 3389 * "Ready" 3390 items: 3391 description: "Condition contains details for one aspect of the current 3392 state of this API Resource.\n---\nThis struct is intended for 3393 direct use as an array at the field path .status.conditions. For 3394 example,\n\n\n\ttype FooStatus struct{\n\t // Represents the 3395 observations of a foo's current state.\n\t // Known .status.conditions.type 3396 are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // 3397 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t 3398 \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" 3399 patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 3400 \ // other fields\n\t}" 3401 properties: 3402 lastTransitionTime: 3403 description: |- 3404 lastTransitionTime is the last time the condition transitioned from one status to another. 3405 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 3406 format: date-time 3407 type: string 3408 message: 3409 description: |- 3410 message is a human readable message indicating details about the transition. 3411 This may be an empty string. 3412 maxLength: 32768 3413 type: string 3414 observedGeneration: 3415 description: |- 3416 observedGeneration represents the .metadata.generation that the condition was set based upon. 3417 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 3418 with respect to the current state of the instance. 3419 format: int64 3420 minimum: 0 3421 type: integer 3422 reason: 3423 description: |- 3424 reason contains a programmatic identifier indicating the reason for the condition's last transition. 3425 Producers of specific condition types may define expected values and meanings for this field, 3426 and whether the values are considered a guaranteed API. 3427 The value should be a CamelCase string. 3428 This field may not be empty. 3429 maxLength: 1024 3430 minLength: 1 3431 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 3432 type: string 3433 status: 3434 description: status of the condition, one of True, False, Unknown. 3435 enum: 3436 - "True" 3437 - "False" 3438 - Unknown 3439 type: string 3440 type: 3441 description: |- 3442 type of condition in CamelCase or in foo.example.com/CamelCase. 3443 --- 3444 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 3445 useful (see .node.status.conditions), the ability to deconflict is important. 3446 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 3447 maxLength: 316 3448 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 3449 type: string 3450 required: 3451 - lastTransitionTime 3452 - message 3453 - reason 3454 - status 3455 - type 3456 type: object 3457 maxItems: 8 3458 type: array 3459 x-kubernetes-list-map-keys: 3460 - type 3461 x-kubernetes-list-type: map 3462 listeners: 3463 description: Listeners provide status for each unique listener port 3464 defined in the Spec. 3465 items: 3466 description: ListenerStatus is the status associated with a Listener. 3467 properties: 3468 attachedRoutes: 3469 description: |- 3470 AttachedRoutes represents the total number of Routes that have been 3471 successfully attached to this Listener. 3472 3473 3474 Successful attachment of a Route to a Listener is based solely on the 3475 combination of the AllowedRoutes field on the corresponding Listener 3476 and the Route's ParentRefs field. A Route is successfully attached to 3477 a Listener when it is selected by the Listener's AllowedRoutes field 3478 AND the Route has a valid ParentRef selecting the whole Gateway 3479 resource or a specific Listener as a parent resource (more detail on 3480 attachment semantics can be found in the documentation on the various 3481 Route kinds ParentRefs fields). Listener or Route status does not impact 3482 successful attachment, i.e. the AttachedRoutes field count MUST be set 3483 for Listeners with condition Accepted: false and MUST count successfully 3484 attached Routes that may themselves have Accepted: false conditions. 3485 3486 3487 Uses for this field include troubleshooting Route attachment and 3488 measuring blast radius/impact of changes to a Listener. 3489 format: int32 3490 type: integer 3491 conditions: 3492 description: Conditions describe the current condition of this 3493 listener. 3494 items: 3495 description: "Condition contains details for one aspect of 3496 the current state of this API Resource.\n---\nThis struct 3497 is intended for direct use as an array at the field path 3498 .status.conditions. For example,\n\n\n\ttype FooStatus 3499 struct{\n\t // Represents the observations of a foo's 3500 current state.\n\t // Known .status.conditions.type are: 3501 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 3502 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 3503 +listType=map\n\t // +listMapKey=type\n\t Conditions 3504 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 3505 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 3506 \ // other fields\n\t}" 3507 properties: 3508 lastTransitionTime: 3509 description: |- 3510 lastTransitionTime is the last time the condition transitioned from one status to another. 3511 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 3512 format: date-time 3513 type: string 3514 message: 3515 description: |- 3516 message is a human readable message indicating details about the transition. 3517 This may be an empty string. 3518 maxLength: 32768 3519 type: string 3520 observedGeneration: 3521 description: |- 3522 observedGeneration represents the .metadata.generation that the condition was set based upon. 3523 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 3524 with respect to the current state of the instance. 3525 format: int64 3526 minimum: 0 3527 type: integer 3528 reason: 3529 description: |- 3530 reason contains a programmatic identifier indicating the reason for the condition's last transition. 3531 Producers of specific condition types may define expected values and meanings for this field, 3532 and whether the values are considered a guaranteed API. 3533 The value should be a CamelCase string. 3534 This field may not be empty. 3535 maxLength: 1024 3536 minLength: 1 3537 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 3538 type: string 3539 status: 3540 description: status of the condition, one of True, False, 3541 Unknown. 3542 enum: 3543 - "True" 3544 - "False" 3545 - Unknown 3546 type: string 3547 type: 3548 description: |- 3549 type of condition in CamelCase or in foo.example.com/CamelCase. 3550 --- 3551 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 3552 useful (see .node.status.conditions), the ability to deconflict is important. 3553 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 3554 maxLength: 316 3555 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 3556 type: string 3557 required: 3558 - lastTransitionTime 3559 - message 3560 - reason 3561 - status 3562 - type 3563 type: object 3564 maxItems: 8 3565 type: array 3566 x-kubernetes-list-map-keys: 3567 - type 3568 x-kubernetes-list-type: map 3569 name: 3570 description: Name is the name of the Listener that this status 3571 corresponds to. 3572 maxLength: 253 3573 minLength: 1 3574 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3575 type: string 3576 supportedKinds: 3577 description: |- 3578 SupportedKinds is the list indicating the Kinds supported by this 3579 listener. This MUST represent the kinds an implementation supports for 3580 that Listener configuration. 3581 3582 3583 If kinds are specified in Spec that are not supported, they MUST NOT 3584 appear in this list and an implementation MUST set the "ResolvedRefs" 3585 condition to "False" with the "InvalidRouteKinds" reason. If both valid 3586 and invalid Route kinds are specified, the implementation MUST 3587 reference the valid Route kinds that have been specified. 3588 items: 3589 description: RouteGroupKind indicates the group and kind of 3590 a Route resource. 3591 properties: 3592 group: 3593 default: gateway.networking.k8s.io 3594 description: Group is the group of the Route. 3595 maxLength: 253 3596 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3597 type: string 3598 kind: 3599 description: Kind is the kind of the Route. 3600 maxLength: 63 3601 minLength: 1 3602 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3603 type: string 3604 required: 3605 - kind 3606 type: object 3607 maxItems: 8 3608 type: array 3609 required: 3610 - attachedRoutes 3611 - conditions 3612 - name 3613 - supportedKinds 3614 type: object 3615 maxItems: 64 3616 type: array 3617 x-kubernetes-list-map-keys: 3618 - name 3619 x-kubernetes-list-type: map 3620 type: object 3621 required: 3622 - spec 3623 type: object 3624 served: true 3625 storage: false 3626 subresources: 3627 status: {} 3628 status: 3629 acceptedNames: 3630 kind: "" 3631 plural: "" 3632 conditions: null 3633 storedVersions: null 3634 --- 3635 apiVersion: apiextensions.k8s.io/v1 3636 kind: CustomResourceDefinition 3637 metadata: 3638 annotations: 3639 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 3640 gateway.networking.k8s.io/bundle-version: v1.1.0 3641 gateway.networking.k8s.io/channel: experimental 3642 creationTimestamp: null 3643 name: grpcroutes.gateway.networking.k8s.io 3644 spec: 3645 group: gateway.networking.k8s.io 3646 names: 3647 categories: 3648 - gateway-api 3649 kind: GRPCRoute 3650 listKind: GRPCRouteList 3651 plural: grpcroutes 3652 singular: grpcroute 3653 scope: Namespaced 3654 versions: 3655 - additionalPrinterColumns: 3656 - jsonPath: .spec.hostnames 3657 name: Hostnames 3658 type: string 3659 - jsonPath: .metadata.creationTimestamp 3660 name: Age 3661 type: date 3662 name: v1 3663 schema: 3664 openAPIV3Schema: 3665 description: |- 3666 GRPCRoute provides a way to route gRPC requests. This includes the capability 3667 to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. 3668 Filters can be used to specify additional processing steps. Backends specify 3669 where matching requests will be routed. 3670 3671 3672 GRPCRoute falls under extended support within the Gateway API. Within the 3673 following specification, the word "MUST" indicates that an implementation 3674 supporting GRPCRoute must conform to the indicated requirement, but an 3675 implementation not supporting this route type need not follow the requirement 3676 unless explicitly indicated. 3677 3678 3679 Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST 3680 accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via 3681 ALPN. If the implementation does not support this, then it MUST set the 3682 "Accepted" condition to "False" for the affected listener with a reason of 3683 "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections 3684 with an upgrade from HTTP/1. 3685 3686 3687 Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST 3688 support HTTP/2 over cleartext TCP (h2c, 3689 https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial 3690 upgrade from HTTP/1.1, i.e. with prior knowledge 3691 (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation 3692 does not support this, then it MUST set the "Accepted" condition to "False" 3693 for the affected listener with a reason of "UnsupportedProtocol". 3694 Implementations MAY also accept HTTP/2 connections with an upgrade from 3695 HTTP/1, i.e. without prior knowledge. 3696 properties: 3697 apiVersion: 3698 description: |- 3699 APIVersion defines the versioned schema of this representation of an object. 3700 Servers should convert recognized schemas to the latest internal value, and 3701 may reject unrecognized values. 3702 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 3703 type: string 3704 kind: 3705 description: |- 3706 Kind is a string value representing the REST resource this object represents. 3707 Servers may infer this from the endpoint the client submits requests to. 3708 Cannot be updated. 3709 In CamelCase. 3710 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 3711 type: string 3712 metadata: 3713 type: object 3714 spec: 3715 description: Spec defines the desired state of GRPCRoute. 3716 properties: 3717 hostnames: 3718 description: |- 3719 Hostnames defines a set of hostnames to match against the GRPC 3720 Host header to select a GRPCRoute to process the request. This matches 3721 the RFC 1123 definition of a hostname with 2 notable exceptions: 3722 3723 3724 1. IPs are not allowed. 3725 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 3726 label MUST appear by itself as the first label. 3727 3728 3729 If a hostname is specified by both the Listener and GRPCRoute, there 3730 MUST be at least one intersecting hostname for the GRPCRoute to be 3731 attached to the Listener. For example: 3732 3733 3734 * A Listener with `test.example.com` as the hostname matches GRPCRoutes 3735 that have either not specified any hostnames, or have specified at 3736 least one of `test.example.com` or `*.example.com`. 3737 * A Listener with `*.example.com` as the hostname matches GRPCRoutes 3738 that have either not specified any hostnames or have specified at least 3739 one hostname that matches the Listener hostname. For example, 3740 `test.example.com` and `*.example.com` would both match. On the other 3741 hand, `example.com` and `test.example.net` would not match. 3742 3743 3744 Hostnames that are prefixed with a wildcard label (`*.`) are interpreted 3745 as a suffix match. That means that a match for `*.example.com` would match 3746 both `test.example.com`, and `foo.test.example.com`, but not `example.com`. 3747 3748 3749 If both the Listener and GRPCRoute have specified hostnames, any 3750 GRPCRoute hostnames that do not match the Listener hostname MUST be 3751 ignored. For example, if a Listener specified `*.example.com`, and the 3752 GRPCRoute specified `test.example.com` and `test.example.net`, 3753 `test.example.net` MUST NOT be considered for a match. 3754 3755 3756 If both the Listener and GRPCRoute have specified hostnames, and none 3757 match with the criteria above, then the GRPCRoute MUST NOT be accepted by 3758 the implementation. The implementation MUST raise an 'Accepted' Condition 3759 with a status of `False` in the corresponding RouteParentStatus. 3760 3761 3762 If a Route (A) of type HTTPRoute or GRPCRoute is attached to a 3763 Listener and that listener already has another Route (B) of the other 3764 type attached and the intersection of the hostnames of A and B is 3765 non-empty, then the implementation MUST accept exactly one of these two 3766 routes, determined by the following criteria, in order: 3767 3768 3769 * The oldest Route based on creation timestamp. 3770 * The Route appearing first in alphabetical order by 3771 "{namespace}/{name}". 3772 3773 3774 The rejected Route MUST raise an 'Accepted' condition with a status of 3775 'False' in the corresponding RouteParentStatus. 3776 3777 3778 Support: Core 3779 items: 3780 description: |- 3781 Hostname is the fully qualified domain name of a network host. This matches 3782 the RFC 1123 definition of a hostname with 2 notable exceptions: 3783 3784 3785 1. IPs are not allowed. 3786 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 3787 label must appear by itself as the first label. 3788 3789 3790 Hostname can be "precise" which is a domain name without the terminating 3791 dot of a network host (e.g. "foo.example.com") or "wildcard", which is a 3792 domain name prefixed with a single wildcard label (e.g. `*.example.com`). 3793 3794 3795 Note that as per RFC1035 and RFC1123, a *label* must consist of lower case 3796 alphanumeric characters or '-', and must start and end with an alphanumeric 3797 character. No other punctuation is allowed. 3798 maxLength: 253 3799 minLength: 1 3800 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3801 type: string 3802 maxItems: 16 3803 type: array 3804 parentRefs: 3805 description: |+ 3806 ParentRefs references the resources (usually Gateways) that a Route wants 3807 to be attached to. Note that the referenced parent resource needs to 3808 allow this for the attachment to be complete. For Gateways, that means 3809 the Gateway needs to allow attachment from Routes of this kind and 3810 namespace. For Services, that means the Service must either be in the same 3811 namespace for a "producer" route, or the mesh implementation must support 3812 and allow "consumer" routes for the referenced Service. ReferenceGrant is 3813 not applicable for governing ParentRefs to Services - it is not possible to 3814 create a "producer" route for a Service in a different namespace from the 3815 Route. 3816 3817 3818 There are two kinds of parent resources with "Core" support: 3819 3820 3821 * Gateway (Gateway conformance profile) 3822 * Service (Mesh conformance profile, ClusterIP Services only) 3823 3824 3825 This API may be extended in the future to support additional kinds of parent 3826 resources. 3827 3828 3829 ParentRefs must be _distinct_. This means either that: 3830 3831 3832 * They select different objects. If this is the case, then parentRef 3833 entries are distinct. In terms of fields, this means that the 3834 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 3835 be unique across all parentRef entries in the Route. 3836 * They do not select different objects, but for each optional field used, 3837 each ParentRef that selects the same object must set the same set of 3838 optional fields to different values. If one ParentRef sets a 3839 combination of optional fields, all must set the same combination. 3840 3841 3842 Some examples: 3843 3844 3845 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 3846 same object must also set `sectionName`. 3847 * If one ParentRef sets `port`, all ParentRefs referencing the same 3848 object must also set `port`. 3849 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 3850 referencing the same object must also set `sectionName` and `port`. 3851 3852 3853 It is possible to separately reference multiple distinct objects that may 3854 be collapsed by an implementation. For example, some implementations may 3855 choose to merge compatible Gateway Listeners together. If that is the 3856 case, the list of routes attached to those resources should also be 3857 merged. 3858 3859 3860 Note that for ParentRefs that cross namespace boundaries, there are specific 3861 rules. Cross-namespace references are only valid if they are explicitly 3862 allowed by something in the namespace they are referring to. For example, 3863 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 3864 generic way to enable other kinds of cross-namespace reference. 3865 3866 3867 3868 ParentRefs from a Route to a Service in the same namespace are "producer" 3869 routes, which apply default routing rules to inbound connections from 3870 any namespace to the Service. 3871 3872 3873 ParentRefs from a Route to a Service in a different namespace are 3874 "consumer" routes, and these routing rules are only applied to outbound 3875 connections originating from the same namespace as the Route, for which 3876 the intended destination of the connections are a Service targeted as a 3877 ParentRef of the Route. 3878 3879 3880 3881 3882 3883 3884 items: 3885 description: |- 3886 ParentReference identifies an API object (usually a Gateway) that can be considered 3887 a parent of this resource (usually a route). There are two kinds of parent resources 3888 with "Core" support: 3889 3890 3891 * Gateway (Gateway conformance profile) 3892 * Service (Mesh conformance profile, ClusterIP Services only) 3893 3894 3895 This API may be extended in the future to support additional kinds of parent 3896 resources. 3897 3898 3899 The API object must be valid in the cluster; the Group and Kind must 3900 be registered in the cluster for this reference to be valid. 3901 properties: 3902 group: 3903 default: gateway.networking.k8s.io 3904 description: |- 3905 Group is the group of the referent. 3906 When unspecified, "gateway.networking.k8s.io" is inferred. 3907 To set the core API group (such as for a "Service" kind referent), 3908 Group must be explicitly set to "" (empty string). 3909 3910 3911 Support: Core 3912 maxLength: 253 3913 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3914 type: string 3915 kind: 3916 default: Gateway 3917 description: |- 3918 Kind is kind of the referent. 3919 3920 3921 There are two kinds of parent resources with "Core" support: 3922 3923 3924 * Gateway (Gateway conformance profile) 3925 * Service (Mesh conformance profile, ClusterIP Services only) 3926 3927 3928 Support for other resources is Implementation-Specific. 3929 maxLength: 63 3930 minLength: 1 3931 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3932 type: string 3933 name: 3934 description: |- 3935 Name is the name of the referent. 3936 3937 3938 Support: Core 3939 maxLength: 253 3940 minLength: 1 3941 type: string 3942 namespace: 3943 description: |- 3944 Namespace is the namespace of the referent. When unspecified, this refers 3945 to the local namespace of the Route. 3946 3947 3948 Note that there are specific rules for ParentRefs which cross namespace 3949 boundaries. Cross-namespace references are only valid if they are explicitly 3950 allowed by something in the namespace they are referring to. For example: 3951 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 3952 generic way to enable any other kind of cross-namespace reference. 3953 3954 3955 3956 ParentRefs from a Route to a Service in the same namespace are "producer" 3957 routes, which apply default routing rules to inbound connections from 3958 any namespace to the Service. 3959 3960 3961 ParentRefs from a Route to a Service in a different namespace are 3962 "consumer" routes, and these routing rules are only applied to outbound 3963 connections originating from the same namespace as the Route, for which 3964 the intended destination of the connections are a Service targeted as a 3965 ParentRef of the Route. 3966 3967 3968 3969 Support: Core 3970 maxLength: 63 3971 minLength: 1 3972 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 3973 type: string 3974 port: 3975 description: |- 3976 Port is the network port this Route targets. It can be interpreted 3977 differently based on the type of parent resource. 3978 3979 3980 When the parent resource is a Gateway, this targets all listeners 3981 listening on the specified port that also support this kind of Route(and 3982 select this Route). It's not recommended to set `Port` unless the 3983 networking behaviors specified in a Route must apply to a specific port 3984 as opposed to a listener(s) whose port(s) may be changed. When both Port 3985 and SectionName are specified, the name and port of the selected listener 3986 must match both specified values. 3987 3988 3989 3990 When the parent resource is a Service, this targets a specific port in the 3991 Service spec. When both Port (experimental) and SectionName are specified, 3992 the name and port of the selected port must match both specified values. 3993 3994 3995 3996 Implementations MAY choose to support other parent resources. 3997 Implementations supporting other types of parent resources MUST clearly 3998 document how/if Port is interpreted. 3999 4000 4001 For the purpose of status, an attachment is considered successful as 4002 long as the parent resource accepts it partially. For example, Gateway 4003 listeners can restrict which Routes can attach to them by Route kind, 4004 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 4005 from the referencing Route, the Route MUST be considered successfully 4006 attached. If no Gateway listeners accept attachment from this Route, 4007 the Route MUST be considered detached from the Gateway. 4008 4009 4010 Support: Extended 4011 format: int32 4012 maximum: 65535 4013 minimum: 1 4014 type: integer 4015 sectionName: 4016 description: |- 4017 SectionName is the name of a section within the target resource. In the 4018 following resources, SectionName is interpreted as the following: 4019 4020 4021 * Gateway: Listener name. When both Port (experimental) and SectionName 4022 are specified, the name and port of the selected listener must match 4023 both specified values. 4024 * Service: Port name. When both Port (experimental) and SectionName 4025 are specified, the name and port of the selected listener must match 4026 both specified values. 4027 4028 4029 Implementations MAY choose to support attaching Routes to other resources. 4030 If that is the case, they MUST clearly document how SectionName is 4031 interpreted. 4032 4033 4034 When unspecified (empty string), this will reference the entire resource. 4035 For the purpose of status, an attachment is considered successful if at 4036 least one section in the parent resource accepts it. For example, Gateway 4037 listeners can restrict which Routes can attach to them by Route kind, 4038 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 4039 the referencing Route, the Route MUST be considered successfully 4040 attached. If no Gateway listeners accept attachment from this Route, the 4041 Route MUST be considered detached from the Gateway. 4042 4043 4044 Support: Core 4045 maxLength: 253 4046 minLength: 1 4047 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4048 type: string 4049 required: 4050 - name 4051 type: object 4052 maxItems: 32 4053 type: array 4054 x-kubernetes-validations: 4055 - message: sectionName or port must be specified when parentRefs includes 4056 2 or more references to the same parent 4057 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 4058 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 4059 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 4060 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 4061 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 4062 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 4063 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 4064 || p2.port == 0)): true))' 4065 - message: sectionName or port must be unique when parentRefs includes 4066 2 or more references to the same parent 4067 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 4068 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 4069 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 4070 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 4071 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 4072 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 4073 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 4074 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 4075 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 4076 == p2.port)))) 4077 rules: 4078 description: Rules are a list of GRPC matchers, filters and actions. 4079 items: 4080 description: |- 4081 GRPCRouteRule defines the semantics for matching a gRPC request based on 4082 conditions (matches), processing it (filters), and forwarding the request to 4083 an API object (backendRefs). 4084 properties: 4085 backendRefs: 4086 description: |- 4087 BackendRefs defines the backend(s) where matching requests should be 4088 sent. 4089 4090 4091 Failure behavior here depends on how many BackendRefs are specified and 4092 how many are invalid. 4093 4094 4095 If *all* entries in BackendRefs are invalid, and there are also no filters 4096 specified in this route rule, *all* traffic which matches this rule MUST 4097 receive an `UNAVAILABLE` status. 4098 4099 4100 See the GRPCBackendRef definition for the rules about what makes a single 4101 GRPCBackendRef invalid. 4102 4103 4104 When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for 4105 requests that would have otherwise been routed to an invalid backend. If 4106 multiple backends are specified, and some are invalid, the proportion of 4107 requests that would otherwise have been routed to an invalid backend 4108 MUST receive an `UNAVAILABLE` status. 4109 4110 4111 For example, if two backends are specified with equal weights, and one is 4112 invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. 4113 Implementations may choose how that 50 percent is determined. 4114 4115 4116 Support: Core for Kubernetes Service 4117 4118 4119 Support: Implementation-specific for any other resource 4120 4121 4122 Support for weight: Core 4123 items: 4124 description: |- 4125 GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. 4126 4127 4128 Note that when a namespace different than the local namespace is specified, a 4129 ReferenceGrant object is required in the referent namespace to allow that 4130 namespace's owner to accept the reference. See the ReferenceGrant 4131 documentation for details. 4132 4133 4134 <gateway:experimental:description> 4135 4136 4137 When the BackendRef points to a Kubernetes Service, implementations SHOULD 4138 honor the appProtocol field if it is set for the target Service Port. 4139 4140 4141 Implementations supporting appProtocol SHOULD recognize the Kubernetes 4142 Standard Application Protocols defined in KEP-3726. 4143 4144 4145 If a Service appProtocol isn't specified, an implementation MAY infer the 4146 backend protocol through its own means. Implementations MAY infer the 4147 protocol from the Route type referring to the backend Service. 4148 4149 4150 If a Route is not able to send traffic to the backend using the specified 4151 protocol then the backend is considered invalid. Implementations MUST set the 4152 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 4153 4154 4155 </gateway:experimental:description> 4156 properties: 4157 filters: 4158 description: |- 4159 Filters defined at this level MUST be executed if and only if the 4160 request is being forwarded to the backend defined here. 4161 4162 4163 Support: Implementation-specific (For broader support of filters, use the 4164 Filters field in GRPCRouteRule.) 4165 items: 4166 description: |- 4167 GRPCRouteFilter defines processing steps that must be completed during the 4168 request or response lifecycle. GRPCRouteFilters are meant as an extension 4169 point to express processing that may be done in Gateway implementations. Some 4170 examples include request or response modification, implementing 4171 authentication strategies, rate-limiting, and traffic shaping. API 4172 guarantee/conformance is defined based on the type of the filter. 4173 properties: 4174 extensionRef: 4175 description: |- 4176 ExtensionRef is an optional, implementation-specific extension to the 4177 "filter" behavior. For example, resource "myroutefilter" in group 4178 "networking.example.net"). ExtensionRef MUST NOT be used for core and 4179 extended filters. 4180 4181 4182 Support: Implementation-specific 4183 4184 4185 This filter can be used multiple times within the same rule. 4186 properties: 4187 group: 4188 description: |- 4189 Group is the group of the referent. For example, "gateway.networking.k8s.io". 4190 When unspecified or empty string, core API group is inferred. 4191 maxLength: 253 4192 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4193 type: string 4194 kind: 4195 description: Kind is kind of the referent. For 4196 example "HTTPRoute" or "Service". 4197 maxLength: 63 4198 minLength: 1 4199 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 4200 type: string 4201 name: 4202 description: Name is the name of the referent. 4203 maxLength: 253 4204 minLength: 1 4205 type: string 4206 required: 4207 - group 4208 - kind 4209 - name 4210 type: object 4211 requestHeaderModifier: 4212 description: |- 4213 RequestHeaderModifier defines a schema for a filter that modifies request 4214 headers. 4215 4216 4217 Support: Core 4218 properties: 4219 add: 4220 description: |- 4221 Add adds the given header(s) (name, value) to the request 4222 before the action. It appends to any existing values associated 4223 with the header name. 4224 4225 4226 Input: 4227 GET /foo HTTP/1.1 4228 my-header: foo 4229 4230 4231 Config: 4232 add: 4233 - name: "my-header" 4234 value: "bar,baz" 4235 4236 4237 Output: 4238 GET /foo HTTP/1.1 4239 my-header: foo,bar,baz 4240 items: 4241 description: HTTPHeader represents an HTTP 4242 Header name and value as defined by RFC 4243 7230. 4244 properties: 4245 name: 4246 description: |- 4247 Name is the name of the HTTP Header to be matched. Name matching MUST be 4248 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 4249 4250 4251 If multiple entries specify equivalent header names, the first entry with 4252 an equivalent name MUST be considered for a match. Subsequent entries 4253 with an equivalent header name MUST be ignored. Due to the 4254 case-insensitivity of header names, "foo" and "Foo" are considered 4255 equivalent. 4256 maxLength: 256 4257 minLength: 1 4258 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 4259 type: string 4260 value: 4261 description: Value is the value of HTTP 4262 Header to be matched. 4263 maxLength: 4096 4264 minLength: 1 4265 type: string 4266 required: 4267 - name 4268 - value 4269 type: object 4270 maxItems: 16 4271 type: array 4272 x-kubernetes-list-map-keys: 4273 - name 4274 x-kubernetes-list-type: map 4275 remove: 4276 description: |- 4277 Remove the given header(s) from the HTTP request before the action. The 4278 value of Remove is a list of HTTP header names. Note that the header 4279 names are case-insensitive (see 4280 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 4281 4282 4283 Input: 4284 GET /foo HTTP/1.1 4285 my-header1: foo 4286 my-header2: bar 4287 my-header3: baz 4288 4289 4290 Config: 4291 remove: ["my-header1", "my-header3"] 4292 4293 4294 Output: 4295 GET /foo HTTP/1.1 4296 my-header2: bar 4297 items: 4298 type: string 4299 maxItems: 16 4300 type: array 4301 x-kubernetes-list-type: set 4302 set: 4303 description: |- 4304 Set overwrites the request with the given header (name, value) 4305 before the action. 4306 4307 4308 Input: 4309 GET /foo HTTP/1.1 4310 my-header: foo 4311 4312 4313 Config: 4314 set: 4315 - name: "my-header" 4316 value: "bar" 4317 4318 4319 Output: 4320 GET /foo HTTP/1.1 4321 my-header: bar 4322 items: 4323 description: HTTPHeader represents an HTTP 4324 Header name and value as defined by RFC 4325 7230. 4326 properties: 4327 name: 4328 description: |- 4329 Name is the name of the HTTP Header to be matched. Name matching MUST be 4330 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 4331 4332 4333 If multiple entries specify equivalent header names, the first entry with 4334 an equivalent name MUST be considered for a match. Subsequent entries 4335 with an equivalent header name MUST be ignored. Due to the 4336 case-insensitivity of header names, "foo" and "Foo" are considered 4337 equivalent. 4338 maxLength: 256 4339 minLength: 1 4340 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 4341 type: string 4342 value: 4343 description: Value is the value of HTTP 4344 Header to be matched. 4345 maxLength: 4096 4346 minLength: 1 4347 type: string 4348 required: 4349 - name 4350 - value 4351 type: object 4352 maxItems: 16 4353 type: array 4354 x-kubernetes-list-map-keys: 4355 - name 4356 x-kubernetes-list-type: map 4357 type: object 4358 requestMirror: 4359 description: |- 4360 RequestMirror defines a schema for a filter that mirrors requests. 4361 Requests are sent to the specified destination, but responses from 4362 that destination are ignored. 4363 4364 4365 This filter can be used multiple times within the same rule. Note that 4366 not all implementations will be able to support mirroring to multiple 4367 backends. 4368 4369 4370 Support: Extended 4371 properties: 4372 backendRef: 4373 description: |- 4374 BackendRef references a resource where mirrored requests are sent. 4375 4376 4377 Mirrored requests must be sent only to a single destination endpoint 4378 within this BackendRef, irrespective of how many endpoints are present 4379 within this BackendRef. 4380 4381 4382 If the referent cannot be found, this BackendRef is invalid and must be 4383 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 4384 condition on the Route status is set to `status: False` and not configure 4385 this backend in the underlying implementation. 4386 4387 4388 If there is a cross-namespace reference to an *existing* object 4389 that is not allowed by a ReferenceGrant, the controller must ensure the 4390 "ResolvedRefs" condition on the Route is set to `status: False`, 4391 with the "RefNotPermitted" reason and not configure this backend in the 4392 underlying implementation. 4393 4394 4395 In either error case, the Message of the `ResolvedRefs` Condition 4396 should be used to provide more detail about the problem. 4397 4398 4399 Support: Extended for Kubernetes Service 4400 4401 4402 Support: Implementation-specific for any other resource 4403 properties: 4404 group: 4405 default: "" 4406 description: |- 4407 Group is the group of the referent. For example, "gateway.networking.k8s.io". 4408 When unspecified or empty string, core API group is inferred. 4409 maxLength: 253 4410 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4411 type: string 4412 kind: 4413 default: Service 4414 description: |- 4415 Kind is the Kubernetes resource kind of the referent. For example 4416 "Service". 4417 4418 4419 Defaults to "Service" when not specified. 4420 4421 4422 ExternalName services can refer to CNAME DNS records that may live 4423 outside of the cluster and as such are difficult to reason about in 4424 terms of conformance. They also may not be safe to forward to (see 4425 CVE-2021-25740 for more information). Implementations SHOULD NOT 4426 support ExternalName Services. 4427 4428 4429 Support: Core (Services with a type other than ExternalName) 4430 4431 4432 Support: Implementation-specific (Services with type ExternalName) 4433 maxLength: 63 4434 minLength: 1 4435 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 4436 type: string 4437 name: 4438 description: Name is the name of the referent. 4439 maxLength: 253 4440 minLength: 1 4441 type: string 4442 namespace: 4443 description: |- 4444 Namespace is the namespace of the backend. When unspecified, the local 4445 namespace is inferred. 4446 4447 4448 Note that when a namespace different than the local namespace is specified, 4449 a ReferenceGrant object is required in the referent namespace to allow that 4450 namespace's owner to accept the reference. See the ReferenceGrant 4451 documentation for details. 4452 4453 4454 Support: Core 4455 maxLength: 63 4456 minLength: 1 4457 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 4458 type: string 4459 port: 4460 description: |- 4461 Port specifies the destination port number to use for this resource. 4462 Port is required when the referent is a Kubernetes Service. In this 4463 case, the port number is the service port number, not the target port. 4464 For other resources, destination port might be derived from the referent 4465 resource or this field. 4466 format: int32 4467 maximum: 65535 4468 minimum: 1 4469 type: integer 4470 required: 4471 - name 4472 type: object 4473 x-kubernetes-validations: 4474 - message: Must have port for Service reference 4475 rule: '(size(self.group) == 0 && self.kind 4476 == ''Service'') ? has(self.port) : true' 4477 required: 4478 - backendRef 4479 type: object 4480 responseHeaderModifier: 4481 description: |- 4482 ResponseHeaderModifier defines a schema for a filter that modifies response 4483 headers. 4484 4485 4486 Support: Extended 4487 properties: 4488 add: 4489 description: |- 4490 Add adds the given header(s) (name, value) to the request 4491 before the action. It appends to any existing values associated 4492 with the header name. 4493 4494 4495 Input: 4496 GET /foo HTTP/1.1 4497 my-header: foo 4498 4499 4500 Config: 4501 add: 4502 - name: "my-header" 4503 value: "bar,baz" 4504 4505 4506 Output: 4507 GET /foo HTTP/1.1 4508 my-header: foo,bar,baz 4509 items: 4510 description: HTTPHeader represents an HTTP 4511 Header name and value as defined by RFC 4512 7230. 4513 properties: 4514 name: 4515 description: |- 4516 Name is the name of the HTTP Header to be matched. Name matching MUST be 4517 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 4518 4519 4520 If multiple entries specify equivalent header names, the first entry with 4521 an equivalent name MUST be considered for a match. Subsequent entries 4522 with an equivalent header name MUST be ignored. Due to the 4523 case-insensitivity of header names, "foo" and "Foo" are considered 4524 equivalent. 4525 maxLength: 256 4526 minLength: 1 4527 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 4528 type: string 4529 value: 4530 description: Value is the value of HTTP 4531 Header to be matched. 4532 maxLength: 4096 4533 minLength: 1 4534 type: string 4535 required: 4536 - name 4537 - value 4538 type: object 4539 maxItems: 16 4540 type: array 4541 x-kubernetes-list-map-keys: 4542 - name 4543 x-kubernetes-list-type: map 4544 remove: 4545 description: |- 4546 Remove the given header(s) from the HTTP request before the action. The 4547 value of Remove is a list of HTTP header names. Note that the header 4548 names are case-insensitive (see 4549 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 4550 4551 4552 Input: 4553 GET /foo HTTP/1.1 4554 my-header1: foo 4555 my-header2: bar 4556 my-header3: baz 4557 4558 4559 Config: 4560 remove: ["my-header1", "my-header3"] 4561 4562 4563 Output: 4564 GET /foo HTTP/1.1 4565 my-header2: bar 4566 items: 4567 type: string 4568 maxItems: 16 4569 type: array 4570 x-kubernetes-list-type: set 4571 set: 4572 description: |- 4573 Set overwrites the request with the given header (name, value) 4574 before the action. 4575 4576 4577 Input: 4578 GET /foo HTTP/1.1 4579 my-header: foo 4580 4581 4582 Config: 4583 set: 4584 - name: "my-header" 4585 value: "bar" 4586 4587 4588 Output: 4589 GET /foo HTTP/1.1 4590 my-header: bar 4591 items: 4592 description: HTTPHeader represents an HTTP 4593 Header name and value as defined by RFC 4594 7230. 4595 properties: 4596 name: 4597 description: |- 4598 Name is the name of the HTTP Header to be matched. Name matching MUST be 4599 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 4600 4601 4602 If multiple entries specify equivalent header names, the first entry with 4603 an equivalent name MUST be considered for a match. Subsequent entries 4604 with an equivalent header name MUST be ignored. Due to the 4605 case-insensitivity of header names, "foo" and "Foo" are considered 4606 equivalent. 4607 maxLength: 256 4608 minLength: 1 4609 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 4610 type: string 4611 value: 4612 description: Value is the value of HTTP 4613 Header to be matched. 4614 maxLength: 4096 4615 minLength: 1 4616 type: string 4617 required: 4618 - name 4619 - value 4620 type: object 4621 maxItems: 16 4622 type: array 4623 x-kubernetes-list-map-keys: 4624 - name 4625 x-kubernetes-list-type: map 4626 type: object 4627 type: 4628 description: |+ 4629 Type identifies the type of filter to apply. As with other API fields, 4630 types are classified into three conformance levels: 4631 4632 4633 - Core: Filter types and their corresponding configuration defined by 4634 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 4635 implementations supporting GRPCRoute MUST support core filters. 4636 4637 4638 - Extended: Filter types and their corresponding configuration defined by 4639 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 4640 are encouraged to support extended filters. 4641 4642 4643 - Implementation-specific: Filters that are defined and supported by specific vendors. 4644 In the future, filters showing convergence in behavior across multiple 4645 implementations will be considered for inclusion in extended or core 4646 conformance levels. Filter-specific configuration for such filters 4647 is specified using the ExtensionRef field. `Type` MUST be set to 4648 "ExtensionRef" for custom filters. 4649 4650 4651 Implementers are encouraged to define custom implementation types to 4652 extend the core API with implementation-specific behavior. 4653 4654 4655 If a reference to a custom filter type cannot be resolved, the filter 4656 MUST NOT be skipped. Instead, requests that would have been processed by 4657 that filter MUST receive a HTTP error response. 4658 4659 4660 enum: 4661 - ResponseHeaderModifier 4662 - RequestHeaderModifier 4663 - RequestMirror 4664 - ExtensionRef 4665 type: string 4666 required: 4667 - type 4668 type: object 4669 x-kubernetes-validations: 4670 - message: filter.requestHeaderModifier must be nil 4671 if the filter.type is not RequestHeaderModifier 4672 rule: '!(has(self.requestHeaderModifier) && self.type 4673 != ''RequestHeaderModifier'')' 4674 - message: filter.requestHeaderModifier must be specified 4675 for RequestHeaderModifier filter.type 4676 rule: '!(!has(self.requestHeaderModifier) && self.type 4677 == ''RequestHeaderModifier'')' 4678 - message: filter.responseHeaderModifier must be nil 4679 if the filter.type is not ResponseHeaderModifier 4680 rule: '!(has(self.responseHeaderModifier) && self.type 4681 != ''ResponseHeaderModifier'')' 4682 - message: filter.responseHeaderModifier must be specified 4683 for ResponseHeaderModifier filter.type 4684 rule: '!(!has(self.responseHeaderModifier) && self.type 4685 == ''ResponseHeaderModifier'')' 4686 - message: filter.requestMirror must be nil if the filter.type 4687 is not RequestMirror 4688 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 4689 - message: filter.requestMirror must be specified for 4690 RequestMirror filter.type 4691 rule: '!(!has(self.requestMirror) && self.type == 4692 ''RequestMirror'')' 4693 - message: filter.extensionRef must be nil if the filter.type 4694 is not ExtensionRef 4695 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 4696 - message: filter.extensionRef must be specified for 4697 ExtensionRef filter.type 4698 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 4699 maxItems: 16 4700 type: array 4701 x-kubernetes-validations: 4702 - message: RequestHeaderModifier filter cannot be repeated 4703 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 4704 <= 1 4705 - message: ResponseHeaderModifier filter cannot be repeated 4706 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 4707 <= 1 4708 group: 4709 default: "" 4710 description: |- 4711 Group is the group of the referent. For example, "gateway.networking.k8s.io". 4712 When unspecified or empty string, core API group is inferred. 4713 maxLength: 253 4714 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4715 type: string 4716 kind: 4717 default: Service 4718 description: |- 4719 Kind is the Kubernetes resource kind of the referent. For example 4720 "Service". 4721 4722 4723 Defaults to "Service" when not specified. 4724 4725 4726 ExternalName services can refer to CNAME DNS records that may live 4727 outside of the cluster and as such are difficult to reason about in 4728 terms of conformance. They also may not be safe to forward to (see 4729 CVE-2021-25740 for more information). Implementations SHOULD NOT 4730 support ExternalName Services. 4731 4732 4733 Support: Core (Services with a type other than ExternalName) 4734 4735 4736 Support: Implementation-specific (Services with type ExternalName) 4737 maxLength: 63 4738 minLength: 1 4739 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 4740 type: string 4741 name: 4742 description: Name is the name of the referent. 4743 maxLength: 253 4744 minLength: 1 4745 type: string 4746 namespace: 4747 description: |- 4748 Namespace is the namespace of the backend. When unspecified, the local 4749 namespace is inferred. 4750 4751 4752 Note that when a namespace different than the local namespace is specified, 4753 a ReferenceGrant object is required in the referent namespace to allow that 4754 namespace's owner to accept the reference. See the ReferenceGrant 4755 documentation for details. 4756 4757 4758 Support: Core 4759 maxLength: 63 4760 minLength: 1 4761 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 4762 type: string 4763 port: 4764 description: |- 4765 Port specifies the destination port number to use for this resource. 4766 Port is required when the referent is a Kubernetes Service. In this 4767 case, the port number is the service port number, not the target port. 4768 For other resources, destination port might be derived from the referent 4769 resource or this field. 4770 format: int32 4771 maximum: 65535 4772 minimum: 1 4773 type: integer 4774 weight: 4775 default: 1 4776 description: |- 4777 Weight specifies the proportion of requests forwarded to the referenced 4778 backend. This is computed as weight/(sum of all weights in this 4779 BackendRefs list). For non-zero values, there may be some epsilon from 4780 the exact proportion defined here depending on the precision an 4781 implementation supports. Weight is not a percentage and the sum of 4782 weights does not need to equal 100. 4783 4784 4785 If only one backend is specified and it has a weight greater than 0, 100% 4786 of the traffic is forwarded to that backend. If weight is set to 0, no 4787 traffic should be forwarded for this entry. If unspecified, weight 4788 defaults to 1. 4789 4790 4791 Support for this field varies based on the context where used. 4792 format: int32 4793 maximum: 1000000 4794 minimum: 0 4795 type: integer 4796 required: 4797 - name 4798 type: object 4799 x-kubernetes-validations: 4800 - message: Must have port for Service reference 4801 rule: '(size(self.group) == 0 && self.kind == ''Service'') 4802 ? has(self.port) : true' 4803 maxItems: 16 4804 type: array 4805 filters: 4806 description: |- 4807 Filters define the filters that are applied to requests that match 4808 this rule. 4809 4810 4811 The effects of ordering of multiple behaviors are currently unspecified. 4812 This can change in the future based on feedback during the alpha stage. 4813 4814 4815 Conformance-levels at this level are defined based on the type of filter: 4816 4817 4818 - ALL core filters MUST be supported by all implementations that support 4819 GRPCRoute. 4820 - Implementers are encouraged to support extended filters. 4821 - Implementation-specific custom filters have no API guarantees across 4822 implementations. 4823 4824 4825 Specifying the same filter multiple times is not supported unless explicitly 4826 indicated in the filter. 4827 4828 4829 If an implementation can not support a combination of filters, it must clearly 4830 document that limitation. In cases where incompatible or unsupported 4831 filters are specified and cause the `Accepted` condition to be set to status 4832 `False`, implementations may use the `IncompatibleFilters` reason to specify 4833 this configuration error. 4834 4835 4836 Support: Core 4837 items: 4838 description: |- 4839 GRPCRouteFilter defines processing steps that must be completed during the 4840 request or response lifecycle. GRPCRouteFilters are meant as an extension 4841 point to express processing that may be done in Gateway implementations. Some 4842 examples include request or response modification, implementing 4843 authentication strategies, rate-limiting, and traffic shaping. API 4844 guarantee/conformance is defined based on the type of the filter. 4845 properties: 4846 extensionRef: 4847 description: |- 4848 ExtensionRef is an optional, implementation-specific extension to the 4849 "filter" behavior. For example, resource "myroutefilter" in group 4850 "networking.example.net"). ExtensionRef MUST NOT be used for core and 4851 extended filters. 4852 4853 4854 Support: Implementation-specific 4855 4856 4857 This filter can be used multiple times within the same rule. 4858 properties: 4859 group: 4860 description: |- 4861 Group is the group of the referent. For example, "gateway.networking.k8s.io". 4862 When unspecified or empty string, core API group is inferred. 4863 maxLength: 253 4864 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4865 type: string 4866 kind: 4867 description: Kind is kind of the referent. For example 4868 "HTTPRoute" or "Service". 4869 maxLength: 63 4870 minLength: 1 4871 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 4872 type: string 4873 name: 4874 description: Name is the name of the referent. 4875 maxLength: 253 4876 minLength: 1 4877 type: string 4878 required: 4879 - group 4880 - kind 4881 - name 4882 type: object 4883 requestHeaderModifier: 4884 description: |- 4885 RequestHeaderModifier defines a schema for a filter that modifies request 4886 headers. 4887 4888 4889 Support: Core 4890 properties: 4891 add: 4892 description: |- 4893 Add adds the given header(s) (name, value) to the request 4894 before the action. It appends to any existing values associated 4895 with the header name. 4896 4897 4898 Input: 4899 GET /foo HTTP/1.1 4900 my-header: foo 4901 4902 4903 Config: 4904 add: 4905 - name: "my-header" 4906 value: "bar,baz" 4907 4908 4909 Output: 4910 GET /foo HTTP/1.1 4911 my-header: foo,bar,baz 4912 items: 4913 description: HTTPHeader represents an HTTP Header 4914 name and value as defined by RFC 7230. 4915 properties: 4916 name: 4917 description: |- 4918 Name is the name of the HTTP Header to be matched. Name matching MUST be 4919 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 4920 4921 4922 If multiple entries specify equivalent header names, the first entry with 4923 an equivalent name MUST be considered for a match. Subsequent entries 4924 with an equivalent header name MUST be ignored. Due to the 4925 case-insensitivity of header names, "foo" and "Foo" are considered 4926 equivalent. 4927 maxLength: 256 4928 minLength: 1 4929 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 4930 type: string 4931 value: 4932 description: Value is the value of HTTP Header 4933 to be matched. 4934 maxLength: 4096 4935 minLength: 1 4936 type: string 4937 required: 4938 - name 4939 - value 4940 type: object 4941 maxItems: 16 4942 type: array 4943 x-kubernetes-list-map-keys: 4944 - name 4945 x-kubernetes-list-type: map 4946 remove: 4947 description: |- 4948 Remove the given header(s) from the HTTP request before the action. The 4949 value of Remove is a list of HTTP header names. Note that the header 4950 names are case-insensitive (see 4951 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 4952 4953 4954 Input: 4955 GET /foo HTTP/1.1 4956 my-header1: foo 4957 my-header2: bar 4958 my-header3: baz 4959 4960 4961 Config: 4962 remove: ["my-header1", "my-header3"] 4963 4964 4965 Output: 4966 GET /foo HTTP/1.1 4967 my-header2: bar 4968 items: 4969 type: string 4970 maxItems: 16 4971 type: array 4972 x-kubernetes-list-type: set 4973 set: 4974 description: |- 4975 Set overwrites the request with the given header (name, value) 4976 before the action. 4977 4978 4979 Input: 4980 GET /foo HTTP/1.1 4981 my-header: foo 4982 4983 4984 Config: 4985 set: 4986 - name: "my-header" 4987 value: "bar" 4988 4989 4990 Output: 4991 GET /foo HTTP/1.1 4992 my-header: bar 4993 items: 4994 description: HTTPHeader represents an HTTP Header 4995 name and value as defined by RFC 7230. 4996 properties: 4997 name: 4998 description: |- 4999 Name is the name of the HTTP Header to be matched. Name matching MUST be 5000 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 5001 5002 5003 If multiple entries specify equivalent header names, the first entry with 5004 an equivalent name MUST be considered for a match. Subsequent entries 5005 with an equivalent header name MUST be ignored. Due to the 5006 case-insensitivity of header names, "foo" and "Foo" are considered 5007 equivalent. 5008 maxLength: 256 5009 minLength: 1 5010 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 5011 type: string 5012 value: 5013 description: Value is the value of HTTP Header 5014 to be matched. 5015 maxLength: 4096 5016 minLength: 1 5017 type: string 5018 required: 5019 - name 5020 - value 5021 type: object 5022 maxItems: 16 5023 type: array 5024 x-kubernetes-list-map-keys: 5025 - name 5026 x-kubernetes-list-type: map 5027 type: object 5028 requestMirror: 5029 description: |- 5030 RequestMirror defines a schema for a filter that mirrors requests. 5031 Requests are sent to the specified destination, but responses from 5032 that destination are ignored. 5033 5034 5035 This filter can be used multiple times within the same rule. Note that 5036 not all implementations will be able to support mirroring to multiple 5037 backends. 5038 5039 5040 Support: Extended 5041 properties: 5042 backendRef: 5043 description: |- 5044 BackendRef references a resource where mirrored requests are sent. 5045 5046 5047 Mirrored requests must be sent only to a single destination endpoint 5048 within this BackendRef, irrespective of how many endpoints are present 5049 within this BackendRef. 5050 5051 5052 If the referent cannot be found, this BackendRef is invalid and must be 5053 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 5054 condition on the Route status is set to `status: False` and not configure 5055 this backend in the underlying implementation. 5056 5057 5058 If there is a cross-namespace reference to an *existing* object 5059 that is not allowed by a ReferenceGrant, the controller must ensure the 5060 "ResolvedRefs" condition on the Route is set to `status: False`, 5061 with the "RefNotPermitted" reason and not configure this backend in the 5062 underlying implementation. 5063 5064 5065 In either error case, the Message of the `ResolvedRefs` Condition 5066 should be used to provide more detail about the problem. 5067 5068 5069 Support: Extended for Kubernetes Service 5070 5071 5072 Support: Implementation-specific for any other resource 5073 properties: 5074 group: 5075 default: "" 5076 description: |- 5077 Group is the group of the referent. For example, "gateway.networking.k8s.io". 5078 When unspecified or empty string, core API group is inferred. 5079 maxLength: 253 5080 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 5081 type: string 5082 kind: 5083 default: Service 5084 description: |- 5085 Kind is the Kubernetes resource kind of the referent. For example 5086 "Service". 5087 5088 5089 Defaults to "Service" when not specified. 5090 5091 5092 ExternalName services can refer to CNAME DNS records that may live 5093 outside of the cluster and as such are difficult to reason about in 5094 terms of conformance. They also may not be safe to forward to (see 5095 CVE-2021-25740 for more information). Implementations SHOULD NOT 5096 support ExternalName Services. 5097 5098 5099 Support: Core (Services with a type other than ExternalName) 5100 5101 5102 Support: Implementation-specific (Services with type ExternalName) 5103 maxLength: 63 5104 minLength: 1 5105 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 5106 type: string 5107 name: 5108 description: Name is the name of the referent. 5109 maxLength: 253 5110 minLength: 1 5111 type: string 5112 namespace: 5113 description: |- 5114 Namespace is the namespace of the backend. When unspecified, the local 5115 namespace is inferred. 5116 5117 5118 Note that when a namespace different than the local namespace is specified, 5119 a ReferenceGrant object is required in the referent namespace to allow that 5120 namespace's owner to accept the reference. See the ReferenceGrant 5121 documentation for details. 5122 5123 5124 Support: Core 5125 maxLength: 63 5126 minLength: 1 5127 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 5128 type: string 5129 port: 5130 description: |- 5131 Port specifies the destination port number to use for this resource. 5132 Port is required when the referent is a Kubernetes Service. In this 5133 case, the port number is the service port number, not the target port. 5134 For other resources, destination port might be derived from the referent 5135 resource or this field. 5136 format: int32 5137 maximum: 65535 5138 minimum: 1 5139 type: integer 5140 required: 5141 - name 5142 type: object 5143 x-kubernetes-validations: 5144 - message: Must have port for Service reference 5145 rule: '(size(self.group) == 0 && self.kind == ''Service'') 5146 ? has(self.port) : true' 5147 required: 5148 - backendRef 5149 type: object 5150 responseHeaderModifier: 5151 description: |- 5152 ResponseHeaderModifier defines a schema for a filter that modifies response 5153 headers. 5154 5155 5156 Support: Extended 5157 properties: 5158 add: 5159 description: |- 5160 Add adds the given header(s) (name, value) to the request 5161 before the action. It appends to any existing values associated 5162 with the header name. 5163 5164 5165 Input: 5166 GET /foo HTTP/1.1 5167 my-header: foo 5168 5169 5170 Config: 5171 add: 5172 - name: "my-header" 5173 value: "bar,baz" 5174 5175 5176 Output: 5177 GET /foo HTTP/1.1 5178 my-header: foo,bar,baz 5179 items: 5180 description: HTTPHeader represents an HTTP Header 5181 name and value as defined by RFC 7230. 5182 properties: 5183 name: 5184 description: |- 5185 Name is the name of the HTTP Header to be matched. Name matching MUST be 5186 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 5187 5188 5189 If multiple entries specify equivalent header names, the first entry with 5190 an equivalent name MUST be considered for a match. Subsequent entries 5191 with an equivalent header name MUST be ignored. Due to the 5192 case-insensitivity of header names, "foo" and "Foo" are considered 5193 equivalent. 5194 maxLength: 256 5195 minLength: 1 5196 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 5197 type: string 5198 value: 5199 description: Value is the value of HTTP Header 5200 to be matched. 5201 maxLength: 4096 5202 minLength: 1 5203 type: string 5204 required: 5205 - name 5206 - value 5207 type: object 5208 maxItems: 16 5209 type: array 5210 x-kubernetes-list-map-keys: 5211 - name 5212 x-kubernetes-list-type: map 5213 remove: 5214 description: |- 5215 Remove the given header(s) from the HTTP request before the action. The 5216 value of Remove is a list of HTTP header names. Note that the header 5217 names are case-insensitive (see 5218 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 5219 5220 5221 Input: 5222 GET /foo HTTP/1.1 5223 my-header1: foo 5224 my-header2: bar 5225 my-header3: baz 5226 5227 5228 Config: 5229 remove: ["my-header1", "my-header3"] 5230 5231 5232 Output: 5233 GET /foo HTTP/1.1 5234 my-header2: bar 5235 items: 5236 type: string 5237 maxItems: 16 5238 type: array 5239 x-kubernetes-list-type: set 5240 set: 5241 description: |- 5242 Set overwrites the request with the given header (name, value) 5243 before the action. 5244 5245 5246 Input: 5247 GET /foo HTTP/1.1 5248 my-header: foo 5249 5250 5251 Config: 5252 set: 5253 - name: "my-header" 5254 value: "bar" 5255 5256 5257 Output: 5258 GET /foo HTTP/1.1 5259 my-header: bar 5260 items: 5261 description: HTTPHeader represents an HTTP Header 5262 name and value as defined by RFC 7230. 5263 properties: 5264 name: 5265 description: |- 5266 Name is the name of the HTTP Header to be matched. Name matching MUST be 5267 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 5268 5269 5270 If multiple entries specify equivalent header names, the first entry with 5271 an equivalent name MUST be considered for a match. Subsequent entries 5272 with an equivalent header name MUST be ignored. Due to the 5273 case-insensitivity of header names, "foo" and "Foo" are considered 5274 equivalent. 5275 maxLength: 256 5276 minLength: 1 5277 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 5278 type: string 5279 value: 5280 description: Value is the value of HTTP Header 5281 to be matched. 5282 maxLength: 4096 5283 minLength: 1 5284 type: string 5285 required: 5286 - name 5287 - value 5288 type: object 5289 maxItems: 16 5290 type: array 5291 x-kubernetes-list-map-keys: 5292 - name 5293 x-kubernetes-list-type: map 5294 type: object 5295 type: 5296 description: |+ 5297 Type identifies the type of filter to apply. As with other API fields, 5298 types are classified into three conformance levels: 5299 5300 5301 - Core: Filter types and their corresponding configuration defined by 5302 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 5303 implementations supporting GRPCRoute MUST support core filters. 5304 5305 5306 - Extended: Filter types and their corresponding configuration defined by 5307 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 5308 are encouraged to support extended filters. 5309 5310 5311 - Implementation-specific: Filters that are defined and supported by specific vendors. 5312 In the future, filters showing convergence in behavior across multiple 5313 implementations will be considered for inclusion in extended or core 5314 conformance levels. Filter-specific configuration for such filters 5315 is specified using the ExtensionRef field. `Type` MUST be set to 5316 "ExtensionRef" for custom filters. 5317 5318 5319 Implementers are encouraged to define custom implementation types to 5320 extend the core API with implementation-specific behavior. 5321 5322 5323 If a reference to a custom filter type cannot be resolved, the filter 5324 MUST NOT be skipped. Instead, requests that would have been processed by 5325 that filter MUST receive a HTTP error response. 5326 5327 5328 enum: 5329 - ResponseHeaderModifier 5330 - RequestHeaderModifier 5331 - RequestMirror 5332 - ExtensionRef 5333 type: string 5334 required: 5335 - type 5336 type: object 5337 x-kubernetes-validations: 5338 - message: filter.requestHeaderModifier must be nil if the 5339 filter.type is not RequestHeaderModifier 5340 rule: '!(has(self.requestHeaderModifier) && self.type != 5341 ''RequestHeaderModifier'')' 5342 - message: filter.requestHeaderModifier must be specified 5343 for RequestHeaderModifier filter.type 5344 rule: '!(!has(self.requestHeaderModifier) && self.type == 5345 ''RequestHeaderModifier'')' 5346 - message: filter.responseHeaderModifier must be nil if the 5347 filter.type is not ResponseHeaderModifier 5348 rule: '!(has(self.responseHeaderModifier) && self.type != 5349 ''ResponseHeaderModifier'')' 5350 - message: filter.responseHeaderModifier must be specified 5351 for ResponseHeaderModifier filter.type 5352 rule: '!(!has(self.responseHeaderModifier) && self.type 5353 == ''ResponseHeaderModifier'')' 5354 - message: filter.requestMirror must be nil if the filter.type 5355 is not RequestMirror 5356 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 5357 - message: filter.requestMirror must be specified for RequestMirror 5358 filter.type 5359 rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' 5360 - message: filter.extensionRef must be nil if the filter.type 5361 is not ExtensionRef 5362 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 5363 - message: filter.extensionRef must be specified for ExtensionRef 5364 filter.type 5365 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 5366 maxItems: 16 5367 type: array 5368 x-kubernetes-validations: 5369 - message: RequestHeaderModifier filter cannot be repeated 5370 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 5371 <= 1 5372 - message: ResponseHeaderModifier filter cannot be repeated 5373 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 5374 <= 1 5375 matches: 5376 description: |- 5377 Matches define conditions used for matching the rule against incoming 5378 gRPC requests. Each match is independent, i.e. this rule will be matched 5379 if **any** one of the matches is satisfied. 5380 5381 5382 For example, take the following matches configuration: 5383 5384 5385 ``` 5386 matches: 5387 - method: 5388 service: foo.bar 5389 headers: 5390 values: 5391 version: 2 5392 - method: 5393 service: foo.bar.v2 5394 ``` 5395 5396 5397 For a request to match against this rule, it MUST satisfy 5398 EITHER of the two conditions: 5399 5400 5401 - service of foo.bar AND contains the header `version: 2` 5402 - service of foo.bar.v2 5403 5404 5405 See the documentation for GRPCRouteMatch on how to specify multiple 5406 match conditions to be ANDed together. 5407 5408 5409 If no matches are specified, the implementation MUST match every gRPC request. 5410 5411 5412 Proxy or Load Balancer routing configuration generated from GRPCRoutes 5413 MUST prioritize rules based on the following criteria, continuing on 5414 ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. 5415 Precedence MUST be given to the rule with the largest number of: 5416 5417 5418 * Characters in a matching non-wildcard hostname. 5419 * Characters in a matching hostname. 5420 * Characters in a matching service. 5421 * Characters in a matching method. 5422 * Header matches. 5423 5424 5425 If ties still exist across multiple Routes, matching precedence MUST be 5426 determined in order of the following criteria, continuing on ties: 5427 5428 5429 * The oldest Route based on creation timestamp. 5430 * The Route appearing first in alphabetical order by 5431 "{namespace}/{name}". 5432 5433 5434 If ties still exist within the Route that has been given precedence, 5435 matching precedence MUST be granted to the first matching rule meeting 5436 the above criteria. 5437 items: 5438 description: |- 5439 GRPCRouteMatch defines the predicate used to match requests to a given 5440 action. Multiple match types are ANDed together, i.e. the match will 5441 evaluate to true only if all conditions are satisfied. 5442 5443 5444 For example, the match below will match a gRPC request only if its service 5445 is `foo` AND it contains the `version: v1` header: 5446 5447 5448 ``` 5449 matches: 5450 - method: 5451 type: Exact 5452 service: "foo" 5453 headers: 5454 - name: "version" 5455 value "v1" 5456 5457 5458 ``` 5459 properties: 5460 headers: 5461 description: |- 5462 Headers specifies gRPC request header matchers. Multiple match values are 5463 ANDed together, meaning, a request MUST match all the specified headers 5464 to select the route. 5465 items: 5466 description: |- 5467 GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request 5468 headers. 5469 properties: 5470 name: 5471 description: |- 5472 Name is the name of the gRPC Header to be matched. 5473 5474 5475 If multiple entries specify equivalent header names, only the first 5476 entry with an equivalent name MUST be considered for a match. Subsequent 5477 entries with an equivalent header name MUST be ignored. Due to the 5478 case-insensitivity of header names, "foo" and "Foo" are considered 5479 equivalent. 5480 maxLength: 256 5481 minLength: 1 5482 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 5483 type: string 5484 type: 5485 default: Exact 5486 description: Type specifies how to match against 5487 the value of the header. 5488 enum: 5489 - Exact 5490 - RegularExpression 5491 type: string 5492 value: 5493 description: Value is the value of the gRPC Header 5494 to be matched. 5495 maxLength: 4096 5496 minLength: 1 5497 type: string 5498 required: 5499 - name 5500 - value 5501 type: object 5502 maxItems: 16 5503 type: array 5504 x-kubernetes-list-map-keys: 5505 - name 5506 x-kubernetes-list-type: map 5507 method: 5508 description: |- 5509 Method specifies a gRPC request service/method matcher. If this field is 5510 not specified, all services and methods will match. 5511 properties: 5512 method: 5513 description: |- 5514 Value of the method to match against. If left empty or omitted, will 5515 match all services. 5516 5517 5518 At least one of Service and Method MUST be a non-empty string. 5519 maxLength: 1024 5520 type: string 5521 service: 5522 description: |- 5523 Value of the service to match against. If left empty or omitted, will 5524 match any service. 5525 5526 5527 At least one of Service and Method MUST be a non-empty string. 5528 maxLength: 1024 5529 type: string 5530 type: 5531 default: Exact 5532 description: |- 5533 Type specifies how to match against the service and/or method. 5534 Support: Core (Exact with service and method specified) 5535 5536 5537 Support: Implementation-specific (Exact with method specified but no service specified) 5538 5539 5540 Support: Implementation-specific (RegularExpression) 5541 enum: 5542 - Exact 5543 - RegularExpression 5544 type: string 5545 type: object 5546 x-kubernetes-validations: 5547 - message: One or both of 'service' or 'method' must be 5548 specified 5549 rule: 'has(self.type) ? has(self.service) || has(self.method) 5550 : true' 5551 - message: service must only contain valid characters 5552 (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) 5553 rule: '(!has(self.type) || self.type == ''Exact'') && 5554 has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): 5555 true' 5556 - message: method must only contain valid characters (matching 5557 ^[A-Za-z_][A-Za-z_0-9]*$) 5558 rule: '(!has(self.type) || self.type == ''Exact'') && 5559 has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): 5560 true' 5561 type: object 5562 maxItems: 8 5563 type: array 5564 sessionPersistence: 5565 description: |+ 5566 SessionPersistence defines and configures session persistence 5567 for the route rule. 5568 5569 5570 Support: Extended 5571 5572 5573 properties: 5574 absoluteTimeout: 5575 description: |- 5576 AbsoluteTimeout defines the absolute timeout of the persistent 5577 session. Once the AbsoluteTimeout duration has elapsed, the 5578 session becomes invalid. 5579 5580 5581 Support: Extended 5582 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 5583 type: string 5584 cookieConfig: 5585 description: |- 5586 CookieConfig provides configuration settings that are specific 5587 to cookie-based session persistence. 5588 5589 5590 Support: Core 5591 properties: 5592 lifetimeType: 5593 default: Session 5594 description: |- 5595 LifetimeType specifies whether the cookie has a permanent or 5596 session-based lifetime. A permanent cookie persists until its 5597 specified expiry time, defined by the Expires or Max-Age cookie 5598 attributes, while a session cookie is deleted when the current 5599 session ends. 5600 5601 5602 When set to "Permanent", AbsoluteTimeout indicates the 5603 cookie's lifetime via the Expires or Max-Age cookie attributes 5604 and is required. 5605 5606 5607 When set to "Session", AbsoluteTimeout indicates the 5608 absolute lifetime of the cookie tracked by the gateway and 5609 is optional. 5610 5611 5612 Support: Core for "Session" type 5613 5614 5615 Support: Extended for "Permanent" type 5616 enum: 5617 - Permanent 5618 - Session 5619 type: string 5620 type: object 5621 idleTimeout: 5622 description: |- 5623 IdleTimeout defines the idle timeout of the persistent session. 5624 Once the session has been idle for more than the specified 5625 IdleTimeout duration, the session becomes invalid. 5626 5627 5628 Support: Extended 5629 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 5630 type: string 5631 sessionName: 5632 description: |- 5633 SessionName defines the name of the persistent session token 5634 which may be reflected in the cookie or the header. Users 5635 should avoid reusing session names to prevent unintended 5636 consequences, such as rejection or unpredictable behavior. 5637 5638 5639 Support: Implementation-specific 5640 maxLength: 128 5641 type: string 5642 type: 5643 default: Cookie 5644 description: |- 5645 Type defines the type of session persistence such as through 5646 the use a header or cookie. Defaults to cookie based session 5647 persistence. 5648 5649 5650 Support: Core for "Cookie" type 5651 5652 5653 Support: Extended for "Header" type 5654 enum: 5655 - Cookie 5656 - Header 5657 type: string 5658 type: object 5659 x-kubernetes-validations: 5660 - message: AbsoluteTimeout must be specified when cookie lifetimeType 5661 is Permanent 5662 rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType 5663 != ''Permanent'' || has(self.absoluteTimeout)' 5664 type: object 5665 maxItems: 16 5666 type: array 5667 type: object 5668 status: 5669 description: Status defines the current state of GRPCRoute. 5670 properties: 5671 parents: 5672 description: |- 5673 Parents is a list of parent resources (usually Gateways) that are 5674 associated with the route, and the status of the route with respect to 5675 each parent. When this route attaches to a parent, the controller that 5676 manages the parent must add an entry to this list when the controller 5677 first sees the route and should update the entry as appropriate when the 5678 route or gateway is modified. 5679 5680 5681 Note that parent references that cannot be resolved by an implementation 5682 of this API will not be added to this list. Implementations of this API 5683 can only populate Route status for the Gateways/parent resources they are 5684 responsible for. 5685 5686 5687 A maximum of 32 Gateways will be represented in this list. An empty list 5688 means the route has not been attached to any Gateway. 5689 items: 5690 description: |- 5691 RouteParentStatus describes the status of a route with respect to an 5692 associated Parent. 5693 properties: 5694 conditions: 5695 description: |- 5696 Conditions describes the status of the route with respect to the Gateway. 5697 Note that the route's availability is also subject to the Gateway's own 5698 status conditions and listener status. 5699 5700 5701 If the Route's ParentRef specifies an existing Gateway that supports 5702 Routes of this kind AND that Gateway's controller has sufficient access, 5703 then that Gateway's controller MUST set the "Accepted" condition on the 5704 Route, to indicate whether the route has been accepted or rejected by the 5705 Gateway, and why. 5706 5707 5708 A Route MUST be considered "Accepted" if at least one of the Route's 5709 rules is implemented by the Gateway. 5710 5711 5712 There are a number of cases where the "Accepted" condition may not be set 5713 due to lack of controller visibility, that includes when: 5714 5715 5716 * The Route refers to a non-existent parent. 5717 * The Route is of a type that the controller does not support. 5718 * The Route is in a namespace the controller does not have access to. 5719 items: 5720 description: "Condition contains details for one aspect of 5721 the current state of this API Resource.\n---\nThis struct 5722 is intended for direct use as an array at the field path 5723 .status.conditions. For example,\n\n\n\ttype FooStatus 5724 struct{\n\t // Represents the observations of a foo's 5725 current state.\n\t // Known .status.conditions.type are: 5726 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 5727 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 5728 +listType=map\n\t // +listMapKey=type\n\t Conditions 5729 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 5730 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 5731 \ // other fields\n\t}" 5732 properties: 5733 lastTransitionTime: 5734 description: |- 5735 lastTransitionTime is the last time the condition transitioned from one status to another. 5736 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 5737 format: date-time 5738 type: string 5739 message: 5740 description: |- 5741 message is a human readable message indicating details about the transition. 5742 This may be an empty string. 5743 maxLength: 32768 5744 type: string 5745 observedGeneration: 5746 description: |- 5747 observedGeneration represents the .metadata.generation that the condition was set based upon. 5748 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 5749 with respect to the current state of the instance. 5750 format: int64 5751 minimum: 0 5752 type: integer 5753 reason: 5754 description: |- 5755 reason contains a programmatic identifier indicating the reason for the condition's last transition. 5756 Producers of specific condition types may define expected values and meanings for this field, 5757 and whether the values are considered a guaranteed API. 5758 The value should be a CamelCase string. 5759 This field may not be empty. 5760 maxLength: 1024 5761 minLength: 1 5762 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 5763 type: string 5764 status: 5765 description: status of the condition, one of True, False, 5766 Unknown. 5767 enum: 5768 - "True" 5769 - "False" 5770 - Unknown 5771 type: string 5772 type: 5773 description: |- 5774 type of condition in CamelCase or in foo.example.com/CamelCase. 5775 --- 5776 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 5777 useful (see .node.status.conditions), the ability to deconflict is important. 5778 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 5779 maxLength: 316 5780 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 5781 type: string 5782 required: 5783 - lastTransitionTime 5784 - message 5785 - reason 5786 - status 5787 - type 5788 type: object 5789 maxItems: 8 5790 minItems: 1 5791 type: array 5792 x-kubernetes-list-map-keys: 5793 - type 5794 x-kubernetes-list-type: map 5795 controllerName: 5796 description: |- 5797 ControllerName is a domain/path string that indicates the name of the 5798 controller that wrote this status. This corresponds with the 5799 controllerName field on GatewayClass. 5800 5801 5802 Example: "example.net/gateway-controller". 5803 5804 5805 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 5806 valid Kubernetes names 5807 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 5808 5809 5810 Controllers MUST populate this field when writing status. Controllers should ensure that 5811 entries to status populated with their ControllerName are cleaned up when they are no 5812 longer necessary. 5813 maxLength: 253 5814 minLength: 1 5815 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 5816 type: string 5817 parentRef: 5818 description: |- 5819 ParentRef corresponds with a ParentRef in the spec that this 5820 RouteParentStatus struct describes the status of. 5821 properties: 5822 group: 5823 default: gateway.networking.k8s.io 5824 description: |- 5825 Group is the group of the referent. 5826 When unspecified, "gateway.networking.k8s.io" is inferred. 5827 To set the core API group (such as for a "Service" kind referent), 5828 Group must be explicitly set to "" (empty string). 5829 5830 5831 Support: Core 5832 maxLength: 253 5833 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 5834 type: string 5835 kind: 5836 default: Gateway 5837 description: |- 5838 Kind is kind of the referent. 5839 5840 5841 There are two kinds of parent resources with "Core" support: 5842 5843 5844 * Gateway (Gateway conformance profile) 5845 * Service (Mesh conformance profile, ClusterIP Services only) 5846 5847 5848 Support for other resources is Implementation-Specific. 5849 maxLength: 63 5850 minLength: 1 5851 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 5852 type: string 5853 name: 5854 description: |- 5855 Name is the name of the referent. 5856 5857 5858 Support: Core 5859 maxLength: 253 5860 minLength: 1 5861 type: string 5862 namespace: 5863 description: |- 5864 Namespace is the namespace of the referent. When unspecified, this refers 5865 to the local namespace of the Route. 5866 5867 5868 Note that there are specific rules for ParentRefs which cross namespace 5869 boundaries. Cross-namespace references are only valid if they are explicitly 5870 allowed by something in the namespace they are referring to. For example: 5871 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 5872 generic way to enable any other kind of cross-namespace reference. 5873 5874 5875 5876 ParentRefs from a Route to a Service in the same namespace are "producer" 5877 routes, which apply default routing rules to inbound connections from 5878 any namespace to the Service. 5879 5880 5881 ParentRefs from a Route to a Service in a different namespace are 5882 "consumer" routes, and these routing rules are only applied to outbound 5883 connections originating from the same namespace as the Route, for which 5884 the intended destination of the connections are a Service targeted as a 5885 ParentRef of the Route. 5886 5887 5888 5889 Support: Core 5890 maxLength: 63 5891 minLength: 1 5892 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 5893 type: string 5894 port: 5895 description: |- 5896 Port is the network port this Route targets. It can be interpreted 5897 differently based on the type of parent resource. 5898 5899 5900 When the parent resource is a Gateway, this targets all listeners 5901 listening on the specified port that also support this kind of Route(and 5902 select this Route). It's not recommended to set `Port` unless the 5903 networking behaviors specified in a Route must apply to a specific port 5904 as opposed to a listener(s) whose port(s) may be changed. When both Port 5905 and SectionName are specified, the name and port of the selected listener 5906 must match both specified values. 5907 5908 5909 5910 When the parent resource is a Service, this targets a specific port in the 5911 Service spec. When both Port (experimental) and SectionName are specified, 5912 the name and port of the selected port must match both specified values. 5913 5914 5915 5916 Implementations MAY choose to support other parent resources. 5917 Implementations supporting other types of parent resources MUST clearly 5918 document how/if Port is interpreted. 5919 5920 5921 For the purpose of status, an attachment is considered successful as 5922 long as the parent resource accepts it partially. For example, Gateway 5923 listeners can restrict which Routes can attach to them by Route kind, 5924 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 5925 from the referencing Route, the Route MUST be considered successfully 5926 attached. If no Gateway listeners accept attachment from this Route, 5927 the Route MUST be considered detached from the Gateway. 5928 5929 5930 Support: Extended 5931 format: int32 5932 maximum: 65535 5933 minimum: 1 5934 type: integer 5935 sectionName: 5936 description: |- 5937 SectionName is the name of a section within the target resource. In the 5938 following resources, SectionName is interpreted as the following: 5939 5940 5941 * Gateway: Listener name. When both Port (experimental) and SectionName 5942 are specified, the name and port of the selected listener must match 5943 both specified values. 5944 * Service: Port name. When both Port (experimental) and SectionName 5945 are specified, the name and port of the selected listener must match 5946 both specified values. 5947 5948 5949 Implementations MAY choose to support attaching Routes to other resources. 5950 If that is the case, they MUST clearly document how SectionName is 5951 interpreted. 5952 5953 5954 When unspecified (empty string), this will reference the entire resource. 5955 For the purpose of status, an attachment is considered successful if at 5956 least one section in the parent resource accepts it. For example, Gateway 5957 listeners can restrict which Routes can attach to them by Route kind, 5958 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 5959 the referencing Route, the Route MUST be considered successfully 5960 attached. If no Gateway listeners accept attachment from this Route, the 5961 Route MUST be considered detached from the Gateway. 5962 5963 5964 Support: Core 5965 maxLength: 253 5966 minLength: 1 5967 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 5968 type: string 5969 required: 5970 - name 5971 type: object 5972 required: 5973 - controllerName 5974 - parentRef 5975 type: object 5976 maxItems: 32 5977 type: array 5978 required: 5979 - parents 5980 type: object 5981 type: object 5982 served: true 5983 storage: true 5984 subresources: 5985 status: {} 5986 - deprecated: true 5987 deprecationWarning: The v1alpha2 version of GRPCRoute has been deprecated and 5988 will be removed in a future release of the API. Please upgrade to v1. 5989 name: v1alpha2 5990 schema: 5991 openAPIV3Schema: 5992 description: |- 5993 GRPCRoute provides a way to route gRPC requests. This includes the capability 5994 to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. 5995 Filters can be used to specify additional processing steps. Backends specify 5996 where matching requests will be routed. 5997 5998 5999 GRPCRoute falls under extended support within the Gateway API. Within the 6000 following specification, the word "MUST" indicates that an implementation 6001 supporting GRPCRoute must conform to the indicated requirement, but an 6002 implementation not supporting this route type need not follow the requirement 6003 unless explicitly indicated. 6004 6005 6006 Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST 6007 accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via 6008 ALPN. If the implementation does not support this, then it MUST set the 6009 "Accepted" condition to "False" for the affected listener with a reason of 6010 "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections 6011 with an upgrade from HTTP/1. 6012 6013 6014 Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST 6015 support HTTP/2 over cleartext TCP (h2c, 6016 https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial 6017 upgrade from HTTP/1.1, i.e. with prior knowledge 6018 (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation 6019 does not support this, then it MUST set the "Accepted" condition to "False" 6020 for the affected listener with a reason of "UnsupportedProtocol". 6021 Implementations MAY also accept HTTP/2 connections with an upgrade from 6022 HTTP/1, i.e. without prior knowledge. 6023 properties: 6024 apiVersion: 6025 description: |- 6026 APIVersion defines the versioned schema of this representation of an object. 6027 Servers should convert recognized schemas to the latest internal value, and 6028 may reject unrecognized values. 6029 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 6030 type: string 6031 kind: 6032 description: |- 6033 Kind is a string value representing the REST resource this object represents. 6034 Servers may infer this from the endpoint the client submits requests to. 6035 Cannot be updated. 6036 In CamelCase. 6037 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 6038 type: string 6039 metadata: 6040 type: object 6041 spec: 6042 description: Spec defines the desired state of GRPCRoute. 6043 properties: 6044 hostnames: 6045 description: |- 6046 Hostnames defines a set of hostnames to match against the GRPC 6047 Host header to select a GRPCRoute to process the request. This matches 6048 the RFC 1123 definition of a hostname with 2 notable exceptions: 6049 6050 6051 1. IPs are not allowed. 6052 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 6053 label MUST appear by itself as the first label. 6054 6055 6056 If a hostname is specified by both the Listener and GRPCRoute, there 6057 MUST be at least one intersecting hostname for the GRPCRoute to be 6058 attached to the Listener. For example: 6059 6060 6061 * A Listener with `test.example.com` as the hostname matches GRPCRoutes 6062 that have either not specified any hostnames, or have specified at 6063 least one of `test.example.com` or `*.example.com`. 6064 * A Listener with `*.example.com` as the hostname matches GRPCRoutes 6065 that have either not specified any hostnames or have specified at least 6066 one hostname that matches the Listener hostname. For example, 6067 `test.example.com` and `*.example.com` would both match. On the other 6068 hand, `example.com` and `test.example.net` would not match. 6069 6070 6071 Hostnames that are prefixed with a wildcard label (`*.`) are interpreted 6072 as a suffix match. That means that a match for `*.example.com` would match 6073 both `test.example.com`, and `foo.test.example.com`, but not `example.com`. 6074 6075 6076 If both the Listener and GRPCRoute have specified hostnames, any 6077 GRPCRoute hostnames that do not match the Listener hostname MUST be 6078 ignored. For example, if a Listener specified `*.example.com`, and the 6079 GRPCRoute specified `test.example.com` and `test.example.net`, 6080 `test.example.net` MUST NOT be considered for a match. 6081 6082 6083 If both the Listener and GRPCRoute have specified hostnames, and none 6084 match with the criteria above, then the GRPCRoute MUST NOT be accepted by 6085 the implementation. The implementation MUST raise an 'Accepted' Condition 6086 with a status of `False` in the corresponding RouteParentStatus. 6087 6088 6089 If a Route (A) of type HTTPRoute or GRPCRoute is attached to a 6090 Listener and that listener already has another Route (B) of the other 6091 type attached and the intersection of the hostnames of A and B is 6092 non-empty, then the implementation MUST accept exactly one of these two 6093 routes, determined by the following criteria, in order: 6094 6095 6096 * The oldest Route based on creation timestamp. 6097 * The Route appearing first in alphabetical order by 6098 "{namespace}/{name}". 6099 6100 6101 The rejected Route MUST raise an 'Accepted' condition with a status of 6102 'False' in the corresponding RouteParentStatus. 6103 6104 6105 Support: Core 6106 items: 6107 description: |- 6108 Hostname is the fully qualified domain name of a network host. This matches 6109 the RFC 1123 definition of a hostname with 2 notable exceptions: 6110 6111 6112 1. IPs are not allowed. 6113 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 6114 label must appear by itself as the first label. 6115 6116 6117 Hostname can be "precise" which is a domain name without the terminating 6118 dot of a network host (e.g. "foo.example.com") or "wildcard", which is a 6119 domain name prefixed with a single wildcard label (e.g. `*.example.com`). 6120 6121 6122 Note that as per RFC1035 and RFC1123, a *label* must consist of lower case 6123 alphanumeric characters or '-', and must start and end with an alphanumeric 6124 character. No other punctuation is allowed. 6125 maxLength: 253 6126 minLength: 1 6127 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 6128 type: string 6129 maxItems: 16 6130 type: array 6131 parentRefs: 6132 description: |+ 6133 ParentRefs references the resources (usually Gateways) that a Route wants 6134 to be attached to. Note that the referenced parent resource needs to 6135 allow this for the attachment to be complete. For Gateways, that means 6136 the Gateway needs to allow attachment from Routes of this kind and 6137 namespace. For Services, that means the Service must either be in the same 6138 namespace for a "producer" route, or the mesh implementation must support 6139 and allow "consumer" routes for the referenced Service. ReferenceGrant is 6140 not applicable for governing ParentRefs to Services - it is not possible to 6141 create a "producer" route for a Service in a different namespace from the 6142 Route. 6143 6144 6145 There are two kinds of parent resources with "Core" support: 6146 6147 6148 * Gateway (Gateway conformance profile) 6149 * Service (Mesh conformance profile, ClusterIP Services only) 6150 6151 6152 This API may be extended in the future to support additional kinds of parent 6153 resources. 6154 6155 6156 ParentRefs must be _distinct_. This means either that: 6157 6158 6159 * They select different objects. If this is the case, then parentRef 6160 entries are distinct. In terms of fields, this means that the 6161 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 6162 be unique across all parentRef entries in the Route. 6163 * They do not select different objects, but for each optional field used, 6164 each ParentRef that selects the same object must set the same set of 6165 optional fields to different values. If one ParentRef sets a 6166 combination of optional fields, all must set the same combination. 6167 6168 6169 Some examples: 6170 6171 6172 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 6173 same object must also set `sectionName`. 6174 * If one ParentRef sets `port`, all ParentRefs referencing the same 6175 object must also set `port`. 6176 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 6177 referencing the same object must also set `sectionName` and `port`. 6178 6179 6180 It is possible to separately reference multiple distinct objects that may 6181 be collapsed by an implementation. For example, some implementations may 6182 choose to merge compatible Gateway Listeners together. If that is the 6183 case, the list of routes attached to those resources should also be 6184 merged. 6185 6186 6187 Note that for ParentRefs that cross namespace boundaries, there are specific 6188 rules. Cross-namespace references are only valid if they are explicitly 6189 allowed by something in the namespace they are referring to. For example, 6190 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 6191 generic way to enable other kinds of cross-namespace reference. 6192 6193 6194 6195 ParentRefs from a Route to a Service in the same namespace are "producer" 6196 routes, which apply default routing rules to inbound connections from 6197 any namespace to the Service. 6198 6199 6200 ParentRefs from a Route to a Service in a different namespace are 6201 "consumer" routes, and these routing rules are only applied to outbound 6202 connections originating from the same namespace as the Route, for which 6203 the intended destination of the connections are a Service targeted as a 6204 ParentRef of the Route. 6205 6206 6207 6208 6209 6210 6211 items: 6212 description: |- 6213 ParentReference identifies an API object (usually a Gateway) that can be considered 6214 a parent of this resource (usually a route). There are two kinds of parent resources 6215 with "Core" support: 6216 6217 6218 * Gateway (Gateway conformance profile) 6219 * Service (Mesh conformance profile, ClusterIP Services only) 6220 6221 6222 This API may be extended in the future to support additional kinds of parent 6223 resources. 6224 6225 6226 The API object must be valid in the cluster; the Group and Kind must 6227 be registered in the cluster for this reference to be valid. 6228 properties: 6229 group: 6230 default: gateway.networking.k8s.io 6231 description: |- 6232 Group is the group of the referent. 6233 When unspecified, "gateway.networking.k8s.io" is inferred. 6234 To set the core API group (such as for a "Service" kind referent), 6235 Group must be explicitly set to "" (empty string). 6236 6237 6238 Support: Core 6239 maxLength: 253 6240 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 6241 type: string 6242 kind: 6243 default: Gateway 6244 description: |- 6245 Kind is kind of the referent. 6246 6247 6248 There are two kinds of parent resources with "Core" support: 6249 6250 6251 * Gateway (Gateway conformance profile) 6252 * Service (Mesh conformance profile, ClusterIP Services only) 6253 6254 6255 Support for other resources is Implementation-Specific. 6256 maxLength: 63 6257 minLength: 1 6258 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 6259 type: string 6260 name: 6261 description: |- 6262 Name is the name of the referent. 6263 6264 6265 Support: Core 6266 maxLength: 253 6267 minLength: 1 6268 type: string 6269 namespace: 6270 description: |- 6271 Namespace is the namespace of the referent. When unspecified, this refers 6272 to the local namespace of the Route. 6273 6274 6275 Note that there are specific rules for ParentRefs which cross namespace 6276 boundaries. Cross-namespace references are only valid if they are explicitly 6277 allowed by something in the namespace they are referring to. For example: 6278 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 6279 generic way to enable any other kind of cross-namespace reference. 6280 6281 6282 6283 ParentRefs from a Route to a Service in the same namespace are "producer" 6284 routes, which apply default routing rules to inbound connections from 6285 any namespace to the Service. 6286 6287 6288 ParentRefs from a Route to a Service in a different namespace are 6289 "consumer" routes, and these routing rules are only applied to outbound 6290 connections originating from the same namespace as the Route, for which 6291 the intended destination of the connections are a Service targeted as a 6292 ParentRef of the Route. 6293 6294 6295 6296 Support: Core 6297 maxLength: 63 6298 minLength: 1 6299 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 6300 type: string 6301 port: 6302 description: |- 6303 Port is the network port this Route targets. It can be interpreted 6304 differently based on the type of parent resource. 6305 6306 6307 When the parent resource is a Gateway, this targets all listeners 6308 listening on the specified port that also support this kind of Route(and 6309 select this Route). It's not recommended to set `Port` unless the 6310 networking behaviors specified in a Route must apply to a specific port 6311 as opposed to a listener(s) whose port(s) may be changed. When both Port 6312 and SectionName are specified, the name and port of the selected listener 6313 must match both specified values. 6314 6315 6316 6317 When the parent resource is a Service, this targets a specific port in the 6318 Service spec. When both Port (experimental) and SectionName are specified, 6319 the name and port of the selected port must match both specified values. 6320 6321 6322 6323 Implementations MAY choose to support other parent resources. 6324 Implementations supporting other types of parent resources MUST clearly 6325 document how/if Port is interpreted. 6326 6327 6328 For the purpose of status, an attachment is considered successful as 6329 long as the parent resource accepts it partially. For example, Gateway 6330 listeners can restrict which Routes can attach to them by Route kind, 6331 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 6332 from the referencing Route, the Route MUST be considered successfully 6333 attached. If no Gateway listeners accept attachment from this Route, 6334 the Route MUST be considered detached from the Gateway. 6335 6336 6337 Support: Extended 6338 format: int32 6339 maximum: 65535 6340 minimum: 1 6341 type: integer 6342 sectionName: 6343 description: |- 6344 SectionName is the name of a section within the target resource. In the 6345 following resources, SectionName is interpreted as the following: 6346 6347 6348 * Gateway: Listener name. When both Port (experimental) and SectionName 6349 are specified, the name and port of the selected listener must match 6350 both specified values. 6351 * Service: Port name. When both Port (experimental) and SectionName 6352 are specified, the name and port of the selected listener must match 6353 both specified values. 6354 6355 6356 Implementations MAY choose to support attaching Routes to other resources. 6357 If that is the case, they MUST clearly document how SectionName is 6358 interpreted. 6359 6360 6361 When unspecified (empty string), this will reference the entire resource. 6362 For the purpose of status, an attachment is considered successful if at 6363 least one section in the parent resource accepts it. For example, Gateway 6364 listeners can restrict which Routes can attach to them by Route kind, 6365 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 6366 the referencing Route, the Route MUST be considered successfully 6367 attached. If no Gateway listeners accept attachment from this Route, the 6368 Route MUST be considered detached from the Gateway. 6369 6370 6371 Support: Core 6372 maxLength: 253 6373 minLength: 1 6374 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 6375 type: string 6376 required: 6377 - name 6378 type: object 6379 maxItems: 32 6380 type: array 6381 x-kubernetes-validations: 6382 - message: sectionName or port must be specified when parentRefs includes 6383 2 or more references to the same parent 6384 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 6385 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 6386 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 6387 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 6388 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 6389 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 6390 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 6391 || p2.port == 0)): true))' 6392 - message: sectionName or port must be unique when parentRefs includes 6393 2 or more references to the same parent 6394 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 6395 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 6396 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 6397 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 6398 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 6399 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 6400 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 6401 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 6402 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 6403 == p2.port)))) 6404 rules: 6405 description: Rules are a list of GRPC matchers, filters and actions. 6406 items: 6407 description: |- 6408 GRPCRouteRule defines the semantics for matching a gRPC request based on 6409 conditions (matches), processing it (filters), and forwarding the request to 6410 an API object (backendRefs). 6411 properties: 6412 backendRefs: 6413 description: |- 6414 BackendRefs defines the backend(s) where matching requests should be 6415 sent. 6416 6417 6418 Failure behavior here depends on how many BackendRefs are specified and 6419 how many are invalid. 6420 6421 6422 If *all* entries in BackendRefs are invalid, and there are also no filters 6423 specified in this route rule, *all* traffic which matches this rule MUST 6424 receive an `UNAVAILABLE` status. 6425 6426 6427 See the GRPCBackendRef definition for the rules about what makes a single 6428 GRPCBackendRef invalid. 6429 6430 6431 When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for 6432 requests that would have otherwise been routed to an invalid backend. If 6433 multiple backends are specified, and some are invalid, the proportion of 6434 requests that would otherwise have been routed to an invalid backend 6435 MUST receive an `UNAVAILABLE` status. 6436 6437 6438 For example, if two backends are specified with equal weights, and one is 6439 invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. 6440 Implementations may choose how that 50 percent is determined. 6441 6442 6443 Support: Core for Kubernetes Service 6444 6445 6446 Support: Implementation-specific for any other resource 6447 6448 6449 Support for weight: Core 6450 items: 6451 description: |- 6452 GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. 6453 6454 6455 Note that when a namespace different than the local namespace is specified, a 6456 ReferenceGrant object is required in the referent namespace to allow that 6457 namespace's owner to accept the reference. See the ReferenceGrant 6458 documentation for details. 6459 6460 6461 <gateway:experimental:description> 6462 6463 6464 When the BackendRef points to a Kubernetes Service, implementations SHOULD 6465 honor the appProtocol field if it is set for the target Service Port. 6466 6467 6468 Implementations supporting appProtocol SHOULD recognize the Kubernetes 6469 Standard Application Protocols defined in KEP-3726. 6470 6471 6472 If a Service appProtocol isn't specified, an implementation MAY infer the 6473 backend protocol through its own means. Implementations MAY infer the 6474 protocol from the Route type referring to the backend Service. 6475 6476 6477 If a Route is not able to send traffic to the backend using the specified 6478 protocol then the backend is considered invalid. Implementations MUST set the 6479 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 6480 6481 6482 </gateway:experimental:description> 6483 properties: 6484 filters: 6485 description: |- 6486 Filters defined at this level MUST be executed if and only if the 6487 request is being forwarded to the backend defined here. 6488 6489 6490 Support: Implementation-specific (For broader support of filters, use the 6491 Filters field in GRPCRouteRule.) 6492 items: 6493 description: |- 6494 GRPCRouteFilter defines processing steps that must be completed during the 6495 request or response lifecycle. GRPCRouteFilters are meant as an extension 6496 point to express processing that may be done in Gateway implementations. Some 6497 examples include request or response modification, implementing 6498 authentication strategies, rate-limiting, and traffic shaping. API 6499 guarantee/conformance is defined based on the type of the filter. 6500 properties: 6501 extensionRef: 6502 description: |- 6503 ExtensionRef is an optional, implementation-specific extension to the 6504 "filter" behavior. For example, resource "myroutefilter" in group 6505 "networking.example.net"). ExtensionRef MUST NOT be used for core and 6506 extended filters. 6507 6508 6509 Support: Implementation-specific 6510 6511 6512 This filter can be used multiple times within the same rule. 6513 properties: 6514 group: 6515 description: |- 6516 Group is the group of the referent. For example, "gateway.networking.k8s.io". 6517 When unspecified or empty string, core API group is inferred. 6518 maxLength: 253 6519 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 6520 type: string 6521 kind: 6522 description: Kind is kind of the referent. For 6523 example "HTTPRoute" or "Service". 6524 maxLength: 63 6525 minLength: 1 6526 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 6527 type: string 6528 name: 6529 description: Name is the name of the referent. 6530 maxLength: 253 6531 minLength: 1 6532 type: string 6533 required: 6534 - group 6535 - kind 6536 - name 6537 type: object 6538 requestHeaderModifier: 6539 description: |- 6540 RequestHeaderModifier defines a schema for a filter that modifies request 6541 headers. 6542 6543 6544 Support: Core 6545 properties: 6546 add: 6547 description: |- 6548 Add adds the given header(s) (name, value) to the request 6549 before the action. It appends to any existing values associated 6550 with the header name. 6551 6552 6553 Input: 6554 GET /foo HTTP/1.1 6555 my-header: foo 6556 6557 6558 Config: 6559 add: 6560 - name: "my-header" 6561 value: "bar,baz" 6562 6563 6564 Output: 6565 GET /foo HTTP/1.1 6566 my-header: foo,bar,baz 6567 items: 6568 description: HTTPHeader represents an HTTP 6569 Header name and value as defined by RFC 6570 7230. 6571 properties: 6572 name: 6573 description: |- 6574 Name is the name of the HTTP Header to be matched. Name matching MUST be 6575 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 6576 6577 6578 If multiple entries specify equivalent header names, the first entry with 6579 an equivalent name MUST be considered for a match. Subsequent entries 6580 with an equivalent header name MUST be ignored. Due to the 6581 case-insensitivity of header names, "foo" and "Foo" are considered 6582 equivalent. 6583 maxLength: 256 6584 minLength: 1 6585 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 6586 type: string 6587 value: 6588 description: Value is the value of HTTP 6589 Header to be matched. 6590 maxLength: 4096 6591 minLength: 1 6592 type: string 6593 required: 6594 - name 6595 - value 6596 type: object 6597 maxItems: 16 6598 type: array 6599 x-kubernetes-list-map-keys: 6600 - name 6601 x-kubernetes-list-type: map 6602 remove: 6603 description: |- 6604 Remove the given header(s) from the HTTP request before the action. The 6605 value of Remove is a list of HTTP header names. Note that the header 6606 names are case-insensitive (see 6607 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 6608 6609 6610 Input: 6611 GET /foo HTTP/1.1 6612 my-header1: foo 6613 my-header2: bar 6614 my-header3: baz 6615 6616 6617 Config: 6618 remove: ["my-header1", "my-header3"] 6619 6620 6621 Output: 6622 GET /foo HTTP/1.1 6623 my-header2: bar 6624 items: 6625 type: string 6626 maxItems: 16 6627 type: array 6628 x-kubernetes-list-type: set 6629 set: 6630 description: |- 6631 Set overwrites the request with the given header (name, value) 6632 before the action. 6633 6634 6635 Input: 6636 GET /foo HTTP/1.1 6637 my-header: foo 6638 6639 6640 Config: 6641 set: 6642 - name: "my-header" 6643 value: "bar" 6644 6645 6646 Output: 6647 GET /foo HTTP/1.1 6648 my-header: bar 6649 items: 6650 description: HTTPHeader represents an HTTP 6651 Header name and value as defined by RFC 6652 7230. 6653 properties: 6654 name: 6655 description: |- 6656 Name is the name of the HTTP Header to be matched. Name matching MUST be 6657 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 6658 6659 6660 If multiple entries specify equivalent header names, the first entry with 6661 an equivalent name MUST be considered for a match. Subsequent entries 6662 with an equivalent header name MUST be ignored. Due to the 6663 case-insensitivity of header names, "foo" and "Foo" are considered 6664 equivalent. 6665 maxLength: 256 6666 minLength: 1 6667 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 6668 type: string 6669 value: 6670 description: Value is the value of HTTP 6671 Header to be matched. 6672 maxLength: 4096 6673 minLength: 1 6674 type: string 6675 required: 6676 - name 6677 - value 6678 type: object 6679 maxItems: 16 6680 type: array 6681 x-kubernetes-list-map-keys: 6682 - name 6683 x-kubernetes-list-type: map 6684 type: object 6685 requestMirror: 6686 description: |- 6687 RequestMirror defines a schema for a filter that mirrors requests. 6688 Requests are sent to the specified destination, but responses from 6689 that destination are ignored. 6690 6691 6692 This filter can be used multiple times within the same rule. Note that 6693 not all implementations will be able to support mirroring to multiple 6694 backends. 6695 6696 6697 Support: Extended 6698 properties: 6699 backendRef: 6700 description: |- 6701 BackendRef references a resource where mirrored requests are sent. 6702 6703 6704 Mirrored requests must be sent only to a single destination endpoint 6705 within this BackendRef, irrespective of how many endpoints are present 6706 within this BackendRef. 6707 6708 6709 If the referent cannot be found, this BackendRef is invalid and must be 6710 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 6711 condition on the Route status is set to `status: False` and not configure 6712 this backend in the underlying implementation. 6713 6714 6715 If there is a cross-namespace reference to an *existing* object 6716 that is not allowed by a ReferenceGrant, the controller must ensure the 6717 "ResolvedRefs" condition on the Route is set to `status: False`, 6718 with the "RefNotPermitted" reason and not configure this backend in the 6719 underlying implementation. 6720 6721 6722 In either error case, the Message of the `ResolvedRefs` Condition 6723 should be used to provide more detail about the problem. 6724 6725 6726 Support: Extended for Kubernetes Service 6727 6728 6729 Support: Implementation-specific for any other resource 6730 properties: 6731 group: 6732 default: "" 6733 description: |- 6734 Group is the group of the referent. For example, "gateway.networking.k8s.io". 6735 When unspecified or empty string, core API group is inferred. 6736 maxLength: 253 6737 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 6738 type: string 6739 kind: 6740 default: Service 6741 description: |- 6742 Kind is the Kubernetes resource kind of the referent. For example 6743 "Service". 6744 6745 6746 Defaults to "Service" when not specified. 6747 6748 6749 ExternalName services can refer to CNAME DNS records that may live 6750 outside of the cluster and as such are difficult to reason about in 6751 terms of conformance. They also may not be safe to forward to (see 6752 CVE-2021-25740 for more information). Implementations SHOULD NOT 6753 support ExternalName Services. 6754 6755 6756 Support: Core (Services with a type other than ExternalName) 6757 6758 6759 Support: Implementation-specific (Services with type ExternalName) 6760 maxLength: 63 6761 minLength: 1 6762 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 6763 type: string 6764 name: 6765 description: Name is the name of the referent. 6766 maxLength: 253 6767 minLength: 1 6768 type: string 6769 namespace: 6770 description: |- 6771 Namespace is the namespace of the backend. When unspecified, the local 6772 namespace is inferred. 6773 6774 6775 Note that when a namespace different than the local namespace is specified, 6776 a ReferenceGrant object is required in the referent namespace to allow that 6777 namespace's owner to accept the reference. See the ReferenceGrant 6778 documentation for details. 6779 6780 6781 Support: Core 6782 maxLength: 63 6783 minLength: 1 6784 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 6785 type: string 6786 port: 6787 description: |- 6788 Port specifies the destination port number to use for this resource. 6789 Port is required when the referent is a Kubernetes Service. In this 6790 case, the port number is the service port number, not the target port. 6791 For other resources, destination port might be derived from the referent 6792 resource or this field. 6793 format: int32 6794 maximum: 65535 6795 minimum: 1 6796 type: integer 6797 required: 6798 - name 6799 type: object 6800 x-kubernetes-validations: 6801 - message: Must have port for Service reference 6802 rule: '(size(self.group) == 0 && self.kind 6803 == ''Service'') ? has(self.port) : true' 6804 required: 6805 - backendRef 6806 type: object 6807 responseHeaderModifier: 6808 description: |- 6809 ResponseHeaderModifier defines a schema for a filter that modifies response 6810 headers. 6811 6812 6813 Support: Extended 6814 properties: 6815 add: 6816 description: |- 6817 Add adds the given header(s) (name, value) to the request 6818 before the action. It appends to any existing values associated 6819 with the header name. 6820 6821 6822 Input: 6823 GET /foo HTTP/1.1 6824 my-header: foo 6825 6826 6827 Config: 6828 add: 6829 - name: "my-header" 6830 value: "bar,baz" 6831 6832 6833 Output: 6834 GET /foo HTTP/1.1 6835 my-header: foo,bar,baz 6836 items: 6837 description: HTTPHeader represents an HTTP 6838 Header name and value as defined by RFC 6839 7230. 6840 properties: 6841 name: 6842 description: |- 6843 Name is the name of the HTTP Header to be matched. Name matching MUST be 6844 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 6845 6846 6847 If multiple entries specify equivalent header names, the first entry with 6848 an equivalent name MUST be considered for a match. Subsequent entries 6849 with an equivalent header name MUST be ignored. Due to the 6850 case-insensitivity of header names, "foo" and "Foo" are considered 6851 equivalent. 6852 maxLength: 256 6853 minLength: 1 6854 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 6855 type: string 6856 value: 6857 description: Value is the value of HTTP 6858 Header to be matched. 6859 maxLength: 4096 6860 minLength: 1 6861 type: string 6862 required: 6863 - name 6864 - value 6865 type: object 6866 maxItems: 16 6867 type: array 6868 x-kubernetes-list-map-keys: 6869 - name 6870 x-kubernetes-list-type: map 6871 remove: 6872 description: |- 6873 Remove the given header(s) from the HTTP request before the action. The 6874 value of Remove is a list of HTTP header names. Note that the header 6875 names are case-insensitive (see 6876 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 6877 6878 6879 Input: 6880 GET /foo HTTP/1.1 6881 my-header1: foo 6882 my-header2: bar 6883 my-header3: baz 6884 6885 6886 Config: 6887 remove: ["my-header1", "my-header3"] 6888 6889 6890 Output: 6891 GET /foo HTTP/1.1 6892 my-header2: bar 6893 items: 6894 type: string 6895 maxItems: 16 6896 type: array 6897 x-kubernetes-list-type: set 6898 set: 6899 description: |- 6900 Set overwrites the request with the given header (name, value) 6901 before the action. 6902 6903 6904 Input: 6905 GET /foo HTTP/1.1 6906 my-header: foo 6907 6908 6909 Config: 6910 set: 6911 - name: "my-header" 6912 value: "bar" 6913 6914 6915 Output: 6916 GET /foo HTTP/1.1 6917 my-header: bar 6918 items: 6919 description: HTTPHeader represents an HTTP 6920 Header name and value as defined by RFC 6921 7230. 6922 properties: 6923 name: 6924 description: |- 6925 Name is the name of the HTTP Header to be matched. Name matching MUST be 6926 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 6927 6928 6929 If multiple entries specify equivalent header names, the first entry with 6930 an equivalent name MUST be considered for a match. Subsequent entries 6931 with an equivalent header name MUST be ignored. Due to the 6932 case-insensitivity of header names, "foo" and "Foo" are considered 6933 equivalent. 6934 maxLength: 256 6935 minLength: 1 6936 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 6937 type: string 6938 value: 6939 description: Value is the value of HTTP 6940 Header to be matched. 6941 maxLength: 4096 6942 minLength: 1 6943 type: string 6944 required: 6945 - name 6946 - value 6947 type: object 6948 maxItems: 16 6949 type: array 6950 x-kubernetes-list-map-keys: 6951 - name 6952 x-kubernetes-list-type: map 6953 type: object 6954 type: 6955 description: |+ 6956 Type identifies the type of filter to apply. As with other API fields, 6957 types are classified into three conformance levels: 6958 6959 6960 - Core: Filter types and their corresponding configuration defined by 6961 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 6962 implementations supporting GRPCRoute MUST support core filters. 6963 6964 6965 - Extended: Filter types and their corresponding configuration defined by 6966 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 6967 are encouraged to support extended filters. 6968 6969 6970 - Implementation-specific: Filters that are defined and supported by specific vendors. 6971 In the future, filters showing convergence in behavior across multiple 6972 implementations will be considered for inclusion in extended or core 6973 conformance levels. Filter-specific configuration for such filters 6974 is specified using the ExtensionRef field. `Type` MUST be set to 6975 "ExtensionRef" for custom filters. 6976 6977 6978 Implementers are encouraged to define custom implementation types to 6979 extend the core API with implementation-specific behavior. 6980 6981 6982 If a reference to a custom filter type cannot be resolved, the filter 6983 MUST NOT be skipped. Instead, requests that would have been processed by 6984 that filter MUST receive a HTTP error response. 6985 6986 6987 enum: 6988 - ResponseHeaderModifier 6989 - RequestHeaderModifier 6990 - RequestMirror 6991 - ExtensionRef 6992 type: string 6993 required: 6994 - type 6995 type: object 6996 x-kubernetes-validations: 6997 - message: filter.requestHeaderModifier must be nil 6998 if the filter.type is not RequestHeaderModifier 6999 rule: '!(has(self.requestHeaderModifier) && self.type 7000 != ''RequestHeaderModifier'')' 7001 - message: filter.requestHeaderModifier must be specified 7002 for RequestHeaderModifier filter.type 7003 rule: '!(!has(self.requestHeaderModifier) && self.type 7004 == ''RequestHeaderModifier'')' 7005 - message: filter.responseHeaderModifier must be nil 7006 if the filter.type is not ResponseHeaderModifier 7007 rule: '!(has(self.responseHeaderModifier) && self.type 7008 != ''ResponseHeaderModifier'')' 7009 - message: filter.responseHeaderModifier must be specified 7010 for ResponseHeaderModifier filter.type 7011 rule: '!(!has(self.responseHeaderModifier) && self.type 7012 == ''ResponseHeaderModifier'')' 7013 - message: filter.requestMirror must be nil if the filter.type 7014 is not RequestMirror 7015 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 7016 - message: filter.requestMirror must be specified for 7017 RequestMirror filter.type 7018 rule: '!(!has(self.requestMirror) && self.type == 7019 ''RequestMirror'')' 7020 - message: filter.extensionRef must be nil if the filter.type 7021 is not ExtensionRef 7022 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 7023 - message: filter.extensionRef must be specified for 7024 ExtensionRef filter.type 7025 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 7026 maxItems: 16 7027 type: array 7028 x-kubernetes-validations: 7029 - message: RequestHeaderModifier filter cannot be repeated 7030 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 7031 <= 1 7032 - message: ResponseHeaderModifier filter cannot be repeated 7033 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 7034 <= 1 7035 group: 7036 default: "" 7037 description: |- 7038 Group is the group of the referent. For example, "gateway.networking.k8s.io". 7039 When unspecified or empty string, core API group is inferred. 7040 maxLength: 253 7041 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 7042 type: string 7043 kind: 7044 default: Service 7045 description: |- 7046 Kind is the Kubernetes resource kind of the referent. For example 7047 "Service". 7048 7049 7050 Defaults to "Service" when not specified. 7051 7052 7053 ExternalName services can refer to CNAME DNS records that may live 7054 outside of the cluster and as such are difficult to reason about in 7055 terms of conformance. They also may not be safe to forward to (see 7056 CVE-2021-25740 for more information). Implementations SHOULD NOT 7057 support ExternalName Services. 7058 7059 7060 Support: Core (Services with a type other than ExternalName) 7061 7062 7063 Support: Implementation-specific (Services with type ExternalName) 7064 maxLength: 63 7065 minLength: 1 7066 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 7067 type: string 7068 name: 7069 description: Name is the name of the referent. 7070 maxLength: 253 7071 minLength: 1 7072 type: string 7073 namespace: 7074 description: |- 7075 Namespace is the namespace of the backend. When unspecified, the local 7076 namespace is inferred. 7077 7078 7079 Note that when a namespace different than the local namespace is specified, 7080 a ReferenceGrant object is required in the referent namespace to allow that 7081 namespace's owner to accept the reference. See the ReferenceGrant 7082 documentation for details. 7083 7084 7085 Support: Core 7086 maxLength: 63 7087 minLength: 1 7088 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 7089 type: string 7090 port: 7091 description: |- 7092 Port specifies the destination port number to use for this resource. 7093 Port is required when the referent is a Kubernetes Service. In this 7094 case, the port number is the service port number, not the target port. 7095 For other resources, destination port might be derived from the referent 7096 resource or this field. 7097 format: int32 7098 maximum: 65535 7099 minimum: 1 7100 type: integer 7101 weight: 7102 default: 1 7103 description: |- 7104 Weight specifies the proportion of requests forwarded to the referenced 7105 backend. This is computed as weight/(sum of all weights in this 7106 BackendRefs list). For non-zero values, there may be some epsilon from 7107 the exact proportion defined here depending on the precision an 7108 implementation supports. Weight is not a percentage and the sum of 7109 weights does not need to equal 100. 7110 7111 7112 If only one backend is specified and it has a weight greater than 0, 100% 7113 of the traffic is forwarded to that backend. If weight is set to 0, no 7114 traffic should be forwarded for this entry. If unspecified, weight 7115 defaults to 1. 7116 7117 7118 Support for this field varies based on the context where used. 7119 format: int32 7120 maximum: 1000000 7121 minimum: 0 7122 type: integer 7123 required: 7124 - name 7125 type: object 7126 x-kubernetes-validations: 7127 - message: Must have port for Service reference 7128 rule: '(size(self.group) == 0 && self.kind == ''Service'') 7129 ? has(self.port) : true' 7130 maxItems: 16 7131 type: array 7132 filters: 7133 description: |- 7134 Filters define the filters that are applied to requests that match 7135 this rule. 7136 7137 7138 The effects of ordering of multiple behaviors are currently unspecified. 7139 This can change in the future based on feedback during the alpha stage. 7140 7141 7142 Conformance-levels at this level are defined based on the type of filter: 7143 7144 7145 - ALL core filters MUST be supported by all implementations that support 7146 GRPCRoute. 7147 - Implementers are encouraged to support extended filters. 7148 - Implementation-specific custom filters have no API guarantees across 7149 implementations. 7150 7151 7152 Specifying the same filter multiple times is not supported unless explicitly 7153 indicated in the filter. 7154 7155 7156 If an implementation can not support a combination of filters, it must clearly 7157 document that limitation. In cases where incompatible or unsupported 7158 filters are specified and cause the `Accepted` condition to be set to status 7159 `False`, implementations may use the `IncompatibleFilters` reason to specify 7160 this configuration error. 7161 7162 7163 Support: Core 7164 items: 7165 description: |- 7166 GRPCRouteFilter defines processing steps that must be completed during the 7167 request or response lifecycle. GRPCRouteFilters are meant as an extension 7168 point to express processing that may be done in Gateway implementations. Some 7169 examples include request or response modification, implementing 7170 authentication strategies, rate-limiting, and traffic shaping. API 7171 guarantee/conformance is defined based on the type of the filter. 7172 properties: 7173 extensionRef: 7174 description: |- 7175 ExtensionRef is an optional, implementation-specific extension to the 7176 "filter" behavior. For example, resource "myroutefilter" in group 7177 "networking.example.net"). ExtensionRef MUST NOT be used for core and 7178 extended filters. 7179 7180 7181 Support: Implementation-specific 7182 7183 7184 This filter can be used multiple times within the same rule. 7185 properties: 7186 group: 7187 description: |- 7188 Group is the group of the referent. For example, "gateway.networking.k8s.io". 7189 When unspecified or empty string, core API group is inferred. 7190 maxLength: 253 7191 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 7192 type: string 7193 kind: 7194 description: Kind is kind of the referent. For example 7195 "HTTPRoute" or "Service". 7196 maxLength: 63 7197 minLength: 1 7198 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 7199 type: string 7200 name: 7201 description: Name is the name of the referent. 7202 maxLength: 253 7203 minLength: 1 7204 type: string 7205 required: 7206 - group 7207 - kind 7208 - name 7209 type: object 7210 requestHeaderModifier: 7211 description: |- 7212 RequestHeaderModifier defines a schema for a filter that modifies request 7213 headers. 7214 7215 7216 Support: Core 7217 properties: 7218 add: 7219 description: |- 7220 Add adds the given header(s) (name, value) to the request 7221 before the action. It appends to any existing values associated 7222 with the header name. 7223 7224 7225 Input: 7226 GET /foo HTTP/1.1 7227 my-header: foo 7228 7229 7230 Config: 7231 add: 7232 - name: "my-header" 7233 value: "bar,baz" 7234 7235 7236 Output: 7237 GET /foo HTTP/1.1 7238 my-header: foo,bar,baz 7239 items: 7240 description: HTTPHeader represents an HTTP Header 7241 name and value as defined by RFC 7230. 7242 properties: 7243 name: 7244 description: |- 7245 Name is the name of the HTTP Header to be matched. Name matching MUST be 7246 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 7247 7248 7249 If multiple entries specify equivalent header names, the first entry with 7250 an equivalent name MUST be considered for a match. Subsequent entries 7251 with an equivalent header name MUST be ignored. Due to the 7252 case-insensitivity of header names, "foo" and "Foo" are considered 7253 equivalent. 7254 maxLength: 256 7255 minLength: 1 7256 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 7257 type: string 7258 value: 7259 description: Value is the value of HTTP Header 7260 to be matched. 7261 maxLength: 4096 7262 minLength: 1 7263 type: string 7264 required: 7265 - name 7266 - value 7267 type: object 7268 maxItems: 16 7269 type: array 7270 x-kubernetes-list-map-keys: 7271 - name 7272 x-kubernetes-list-type: map 7273 remove: 7274 description: |- 7275 Remove the given header(s) from the HTTP request before the action. The 7276 value of Remove is a list of HTTP header names. Note that the header 7277 names are case-insensitive (see 7278 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 7279 7280 7281 Input: 7282 GET /foo HTTP/1.1 7283 my-header1: foo 7284 my-header2: bar 7285 my-header3: baz 7286 7287 7288 Config: 7289 remove: ["my-header1", "my-header3"] 7290 7291 7292 Output: 7293 GET /foo HTTP/1.1 7294 my-header2: bar 7295 items: 7296 type: string 7297 maxItems: 16 7298 type: array 7299 x-kubernetes-list-type: set 7300 set: 7301 description: |- 7302 Set overwrites the request with the given header (name, value) 7303 before the action. 7304 7305 7306 Input: 7307 GET /foo HTTP/1.1 7308 my-header: foo 7309 7310 7311 Config: 7312 set: 7313 - name: "my-header" 7314 value: "bar" 7315 7316 7317 Output: 7318 GET /foo HTTP/1.1 7319 my-header: bar 7320 items: 7321 description: HTTPHeader represents an HTTP Header 7322 name and value as defined by RFC 7230. 7323 properties: 7324 name: 7325 description: |- 7326 Name is the name of the HTTP Header to be matched. Name matching MUST be 7327 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 7328 7329 7330 If multiple entries specify equivalent header names, the first entry with 7331 an equivalent name MUST be considered for a match. Subsequent entries 7332 with an equivalent header name MUST be ignored. Due to the 7333 case-insensitivity of header names, "foo" and "Foo" are considered 7334 equivalent. 7335 maxLength: 256 7336 minLength: 1 7337 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 7338 type: string 7339 value: 7340 description: Value is the value of HTTP Header 7341 to be matched. 7342 maxLength: 4096 7343 minLength: 1 7344 type: string 7345 required: 7346 - name 7347 - value 7348 type: object 7349 maxItems: 16 7350 type: array 7351 x-kubernetes-list-map-keys: 7352 - name 7353 x-kubernetes-list-type: map 7354 type: object 7355 requestMirror: 7356 description: |- 7357 RequestMirror defines a schema for a filter that mirrors requests. 7358 Requests are sent to the specified destination, but responses from 7359 that destination are ignored. 7360 7361 7362 This filter can be used multiple times within the same rule. Note that 7363 not all implementations will be able to support mirroring to multiple 7364 backends. 7365 7366 7367 Support: Extended 7368 properties: 7369 backendRef: 7370 description: |- 7371 BackendRef references a resource where mirrored requests are sent. 7372 7373 7374 Mirrored requests must be sent only to a single destination endpoint 7375 within this BackendRef, irrespective of how many endpoints are present 7376 within this BackendRef. 7377 7378 7379 If the referent cannot be found, this BackendRef is invalid and must be 7380 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 7381 condition on the Route status is set to `status: False` and not configure 7382 this backend in the underlying implementation. 7383 7384 7385 If there is a cross-namespace reference to an *existing* object 7386 that is not allowed by a ReferenceGrant, the controller must ensure the 7387 "ResolvedRefs" condition on the Route is set to `status: False`, 7388 with the "RefNotPermitted" reason and not configure this backend in the 7389 underlying implementation. 7390 7391 7392 In either error case, the Message of the `ResolvedRefs` Condition 7393 should be used to provide more detail about the problem. 7394 7395 7396 Support: Extended for Kubernetes Service 7397 7398 7399 Support: Implementation-specific for any other resource 7400 properties: 7401 group: 7402 default: "" 7403 description: |- 7404 Group is the group of the referent. For example, "gateway.networking.k8s.io". 7405 When unspecified or empty string, core API group is inferred. 7406 maxLength: 253 7407 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 7408 type: string 7409 kind: 7410 default: Service 7411 description: |- 7412 Kind is the Kubernetes resource kind of the referent. For example 7413 "Service". 7414 7415 7416 Defaults to "Service" when not specified. 7417 7418 7419 ExternalName services can refer to CNAME DNS records that may live 7420 outside of the cluster and as such are difficult to reason about in 7421 terms of conformance. They also may not be safe to forward to (see 7422 CVE-2021-25740 for more information). Implementations SHOULD NOT 7423 support ExternalName Services. 7424 7425 7426 Support: Core (Services with a type other than ExternalName) 7427 7428 7429 Support: Implementation-specific (Services with type ExternalName) 7430 maxLength: 63 7431 minLength: 1 7432 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 7433 type: string 7434 name: 7435 description: Name is the name of the referent. 7436 maxLength: 253 7437 minLength: 1 7438 type: string 7439 namespace: 7440 description: |- 7441 Namespace is the namespace of the backend. When unspecified, the local 7442 namespace is inferred. 7443 7444 7445 Note that when a namespace different than the local namespace is specified, 7446 a ReferenceGrant object is required in the referent namespace to allow that 7447 namespace's owner to accept the reference. See the ReferenceGrant 7448 documentation for details. 7449 7450 7451 Support: Core 7452 maxLength: 63 7453 minLength: 1 7454 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 7455 type: string 7456 port: 7457 description: |- 7458 Port specifies the destination port number to use for this resource. 7459 Port is required when the referent is a Kubernetes Service. In this 7460 case, the port number is the service port number, not the target port. 7461 For other resources, destination port might be derived from the referent 7462 resource or this field. 7463 format: int32 7464 maximum: 65535 7465 minimum: 1 7466 type: integer 7467 required: 7468 - name 7469 type: object 7470 x-kubernetes-validations: 7471 - message: Must have port for Service reference 7472 rule: '(size(self.group) == 0 && self.kind == ''Service'') 7473 ? has(self.port) : true' 7474 required: 7475 - backendRef 7476 type: object 7477 responseHeaderModifier: 7478 description: |- 7479 ResponseHeaderModifier defines a schema for a filter that modifies response 7480 headers. 7481 7482 7483 Support: Extended 7484 properties: 7485 add: 7486 description: |- 7487 Add adds the given header(s) (name, value) to the request 7488 before the action. It appends to any existing values associated 7489 with the header name. 7490 7491 7492 Input: 7493 GET /foo HTTP/1.1 7494 my-header: foo 7495 7496 7497 Config: 7498 add: 7499 - name: "my-header" 7500 value: "bar,baz" 7501 7502 7503 Output: 7504 GET /foo HTTP/1.1 7505 my-header: foo,bar,baz 7506 items: 7507 description: HTTPHeader represents an HTTP Header 7508 name and value as defined by RFC 7230. 7509 properties: 7510 name: 7511 description: |- 7512 Name is the name of the HTTP Header to be matched. Name matching MUST be 7513 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 7514 7515 7516 If multiple entries specify equivalent header names, the first entry with 7517 an equivalent name MUST be considered for a match. Subsequent entries 7518 with an equivalent header name MUST be ignored. Due to the 7519 case-insensitivity of header names, "foo" and "Foo" are considered 7520 equivalent. 7521 maxLength: 256 7522 minLength: 1 7523 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 7524 type: string 7525 value: 7526 description: Value is the value of HTTP Header 7527 to be matched. 7528 maxLength: 4096 7529 minLength: 1 7530 type: string 7531 required: 7532 - name 7533 - value 7534 type: object 7535 maxItems: 16 7536 type: array 7537 x-kubernetes-list-map-keys: 7538 - name 7539 x-kubernetes-list-type: map 7540 remove: 7541 description: |- 7542 Remove the given header(s) from the HTTP request before the action. The 7543 value of Remove is a list of HTTP header names. Note that the header 7544 names are case-insensitive (see 7545 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 7546 7547 7548 Input: 7549 GET /foo HTTP/1.1 7550 my-header1: foo 7551 my-header2: bar 7552 my-header3: baz 7553 7554 7555 Config: 7556 remove: ["my-header1", "my-header3"] 7557 7558 7559 Output: 7560 GET /foo HTTP/1.1 7561 my-header2: bar 7562 items: 7563 type: string 7564 maxItems: 16 7565 type: array 7566 x-kubernetes-list-type: set 7567 set: 7568 description: |- 7569 Set overwrites the request with the given header (name, value) 7570 before the action. 7571 7572 7573 Input: 7574 GET /foo HTTP/1.1 7575 my-header: foo 7576 7577 7578 Config: 7579 set: 7580 - name: "my-header" 7581 value: "bar" 7582 7583 7584 Output: 7585 GET /foo HTTP/1.1 7586 my-header: bar 7587 items: 7588 description: HTTPHeader represents an HTTP Header 7589 name and value as defined by RFC 7230. 7590 properties: 7591 name: 7592 description: |- 7593 Name is the name of the HTTP Header to be matched. Name matching MUST be 7594 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 7595 7596 7597 If multiple entries specify equivalent header names, the first entry with 7598 an equivalent name MUST be considered for a match. Subsequent entries 7599 with an equivalent header name MUST be ignored. Due to the 7600 case-insensitivity of header names, "foo" and "Foo" are considered 7601 equivalent. 7602 maxLength: 256 7603 minLength: 1 7604 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 7605 type: string 7606 value: 7607 description: Value is the value of HTTP Header 7608 to be matched. 7609 maxLength: 4096 7610 minLength: 1 7611 type: string 7612 required: 7613 - name 7614 - value 7615 type: object 7616 maxItems: 16 7617 type: array 7618 x-kubernetes-list-map-keys: 7619 - name 7620 x-kubernetes-list-type: map 7621 type: object 7622 type: 7623 description: |+ 7624 Type identifies the type of filter to apply. As with other API fields, 7625 types are classified into three conformance levels: 7626 7627 7628 - Core: Filter types and their corresponding configuration defined by 7629 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 7630 implementations supporting GRPCRoute MUST support core filters. 7631 7632 7633 - Extended: Filter types and their corresponding configuration defined by 7634 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 7635 are encouraged to support extended filters. 7636 7637 7638 - Implementation-specific: Filters that are defined and supported by specific vendors. 7639 In the future, filters showing convergence in behavior across multiple 7640 implementations will be considered for inclusion in extended or core 7641 conformance levels. Filter-specific configuration for such filters 7642 is specified using the ExtensionRef field. `Type` MUST be set to 7643 "ExtensionRef" for custom filters. 7644 7645 7646 Implementers are encouraged to define custom implementation types to 7647 extend the core API with implementation-specific behavior. 7648 7649 7650 If a reference to a custom filter type cannot be resolved, the filter 7651 MUST NOT be skipped. Instead, requests that would have been processed by 7652 that filter MUST receive a HTTP error response. 7653 7654 7655 enum: 7656 - ResponseHeaderModifier 7657 - RequestHeaderModifier 7658 - RequestMirror 7659 - ExtensionRef 7660 type: string 7661 required: 7662 - type 7663 type: object 7664 x-kubernetes-validations: 7665 - message: filter.requestHeaderModifier must be nil if the 7666 filter.type is not RequestHeaderModifier 7667 rule: '!(has(self.requestHeaderModifier) && self.type != 7668 ''RequestHeaderModifier'')' 7669 - message: filter.requestHeaderModifier must be specified 7670 for RequestHeaderModifier filter.type 7671 rule: '!(!has(self.requestHeaderModifier) && self.type == 7672 ''RequestHeaderModifier'')' 7673 - message: filter.responseHeaderModifier must be nil if the 7674 filter.type is not ResponseHeaderModifier 7675 rule: '!(has(self.responseHeaderModifier) && self.type != 7676 ''ResponseHeaderModifier'')' 7677 - message: filter.responseHeaderModifier must be specified 7678 for ResponseHeaderModifier filter.type 7679 rule: '!(!has(self.responseHeaderModifier) && self.type 7680 == ''ResponseHeaderModifier'')' 7681 - message: filter.requestMirror must be nil if the filter.type 7682 is not RequestMirror 7683 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 7684 - message: filter.requestMirror must be specified for RequestMirror 7685 filter.type 7686 rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' 7687 - message: filter.extensionRef must be nil if the filter.type 7688 is not ExtensionRef 7689 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 7690 - message: filter.extensionRef must be specified for ExtensionRef 7691 filter.type 7692 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 7693 maxItems: 16 7694 type: array 7695 x-kubernetes-validations: 7696 - message: RequestHeaderModifier filter cannot be repeated 7697 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 7698 <= 1 7699 - message: ResponseHeaderModifier filter cannot be repeated 7700 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 7701 <= 1 7702 matches: 7703 description: |- 7704 Matches define conditions used for matching the rule against incoming 7705 gRPC requests. Each match is independent, i.e. this rule will be matched 7706 if **any** one of the matches is satisfied. 7707 7708 7709 For example, take the following matches configuration: 7710 7711 7712 ``` 7713 matches: 7714 - method: 7715 service: foo.bar 7716 headers: 7717 values: 7718 version: 2 7719 - method: 7720 service: foo.bar.v2 7721 ``` 7722 7723 7724 For a request to match against this rule, it MUST satisfy 7725 EITHER of the two conditions: 7726 7727 7728 - service of foo.bar AND contains the header `version: 2` 7729 - service of foo.bar.v2 7730 7731 7732 See the documentation for GRPCRouteMatch on how to specify multiple 7733 match conditions to be ANDed together. 7734 7735 7736 If no matches are specified, the implementation MUST match every gRPC request. 7737 7738 7739 Proxy or Load Balancer routing configuration generated from GRPCRoutes 7740 MUST prioritize rules based on the following criteria, continuing on 7741 ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. 7742 Precedence MUST be given to the rule with the largest number of: 7743 7744 7745 * Characters in a matching non-wildcard hostname. 7746 * Characters in a matching hostname. 7747 * Characters in a matching service. 7748 * Characters in a matching method. 7749 * Header matches. 7750 7751 7752 If ties still exist across multiple Routes, matching precedence MUST be 7753 determined in order of the following criteria, continuing on ties: 7754 7755 7756 * The oldest Route based on creation timestamp. 7757 * The Route appearing first in alphabetical order by 7758 "{namespace}/{name}". 7759 7760 7761 If ties still exist within the Route that has been given precedence, 7762 matching precedence MUST be granted to the first matching rule meeting 7763 the above criteria. 7764 items: 7765 description: |- 7766 GRPCRouteMatch defines the predicate used to match requests to a given 7767 action. Multiple match types are ANDed together, i.e. the match will 7768 evaluate to true only if all conditions are satisfied. 7769 7770 7771 For example, the match below will match a gRPC request only if its service 7772 is `foo` AND it contains the `version: v1` header: 7773 7774 7775 ``` 7776 matches: 7777 - method: 7778 type: Exact 7779 service: "foo" 7780 headers: 7781 - name: "version" 7782 value "v1" 7783 7784 7785 ``` 7786 properties: 7787 headers: 7788 description: |- 7789 Headers specifies gRPC request header matchers. Multiple match values are 7790 ANDed together, meaning, a request MUST match all the specified headers 7791 to select the route. 7792 items: 7793 description: |- 7794 GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request 7795 headers. 7796 properties: 7797 name: 7798 description: |- 7799 Name is the name of the gRPC Header to be matched. 7800 7801 7802 If multiple entries specify equivalent header names, only the first 7803 entry with an equivalent name MUST be considered for a match. Subsequent 7804 entries with an equivalent header name MUST be ignored. Due to the 7805 case-insensitivity of header names, "foo" and "Foo" are considered 7806 equivalent. 7807 maxLength: 256 7808 minLength: 1 7809 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 7810 type: string 7811 type: 7812 default: Exact 7813 description: Type specifies how to match against 7814 the value of the header. 7815 enum: 7816 - Exact 7817 - RegularExpression 7818 type: string 7819 value: 7820 description: Value is the value of the gRPC Header 7821 to be matched. 7822 maxLength: 4096 7823 minLength: 1 7824 type: string 7825 required: 7826 - name 7827 - value 7828 type: object 7829 maxItems: 16 7830 type: array 7831 x-kubernetes-list-map-keys: 7832 - name 7833 x-kubernetes-list-type: map 7834 method: 7835 description: |- 7836 Method specifies a gRPC request service/method matcher. If this field is 7837 not specified, all services and methods will match. 7838 properties: 7839 method: 7840 description: |- 7841 Value of the method to match against. If left empty or omitted, will 7842 match all services. 7843 7844 7845 At least one of Service and Method MUST be a non-empty string. 7846 maxLength: 1024 7847 type: string 7848 service: 7849 description: |- 7850 Value of the service to match against. If left empty or omitted, will 7851 match any service. 7852 7853 7854 At least one of Service and Method MUST be a non-empty string. 7855 maxLength: 1024 7856 type: string 7857 type: 7858 default: Exact 7859 description: |- 7860 Type specifies how to match against the service and/or method. 7861 Support: Core (Exact with service and method specified) 7862 7863 7864 Support: Implementation-specific (Exact with method specified but no service specified) 7865 7866 7867 Support: Implementation-specific (RegularExpression) 7868 enum: 7869 - Exact 7870 - RegularExpression 7871 type: string 7872 type: object 7873 x-kubernetes-validations: 7874 - message: One or both of 'service' or 'method' must be 7875 specified 7876 rule: 'has(self.type) ? has(self.service) || has(self.method) 7877 : true' 7878 - message: service must only contain valid characters 7879 (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) 7880 rule: '(!has(self.type) || self.type == ''Exact'') && 7881 has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): 7882 true' 7883 - message: method must only contain valid characters (matching 7884 ^[A-Za-z_][A-Za-z_0-9]*$) 7885 rule: '(!has(self.type) || self.type == ''Exact'') && 7886 has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): 7887 true' 7888 type: object 7889 maxItems: 8 7890 type: array 7891 sessionPersistence: 7892 description: |+ 7893 SessionPersistence defines and configures session persistence 7894 for the route rule. 7895 7896 7897 Support: Extended 7898 7899 7900 properties: 7901 absoluteTimeout: 7902 description: |- 7903 AbsoluteTimeout defines the absolute timeout of the persistent 7904 session. Once the AbsoluteTimeout duration has elapsed, the 7905 session becomes invalid. 7906 7907 7908 Support: Extended 7909 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 7910 type: string 7911 cookieConfig: 7912 description: |- 7913 CookieConfig provides configuration settings that are specific 7914 to cookie-based session persistence. 7915 7916 7917 Support: Core 7918 properties: 7919 lifetimeType: 7920 default: Session 7921 description: |- 7922 LifetimeType specifies whether the cookie has a permanent or 7923 session-based lifetime. A permanent cookie persists until its 7924 specified expiry time, defined by the Expires or Max-Age cookie 7925 attributes, while a session cookie is deleted when the current 7926 session ends. 7927 7928 7929 When set to "Permanent", AbsoluteTimeout indicates the 7930 cookie's lifetime via the Expires or Max-Age cookie attributes 7931 and is required. 7932 7933 7934 When set to "Session", AbsoluteTimeout indicates the 7935 absolute lifetime of the cookie tracked by the gateway and 7936 is optional. 7937 7938 7939 Support: Core for "Session" type 7940 7941 7942 Support: Extended for "Permanent" type 7943 enum: 7944 - Permanent 7945 - Session 7946 type: string 7947 type: object 7948 idleTimeout: 7949 description: |- 7950 IdleTimeout defines the idle timeout of the persistent session. 7951 Once the session has been idle for more than the specified 7952 IdleTimeout duration, the session becomes invalid. 7953 7954 7955 Support: Extended 7956 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 7957 type: string 7958 sessionName: 7959 description: |- 7960 SessionName defines the name of the persistent session token 7961 which may be reflected in the cookie or the header. Users 7962 should avoid reusing session names to prevent unintended 7963 consequences, such as rejection or unpredictable behavior. 7964 7965 7966 Support: Implementation-specific 7967 maxLength: 128 7968 type: string 7969 type: 7970 default: Cookie 7971 description: |- 7972 Type defines the type of session persistence such as through 7973 the use a header or cookie. Defaults to cookie based session 7974 persistence. 7975 7976 7977 Support: Core for "Cookie" type 7978 7979 7980 Support: Extended for "Header" type 7981 enum: 7982 - Cookie 7983 - Header 7984 type: string 7985 type: object 7986 x-kubernetes-validations: 7987 - message: AbsoluteTimeout must be specified when cookie lifetimeType 7988 is Permanent 7989 rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType 7990 != ''Permanent'' || has(self.absoluteTimeout)' 7991 type: object 7992 maxItems: 16 7993 type: array 7994 type: object 7995 status: 7996 description: Status defines the current state of GRPCRoute. 7997 properties: 7998 parents: 7999 description: |- 8000 Parents is a list of parent resources (usually Gateways) that are 8001 associated with the route, and the status of the route with respect to 8002 each parent. When this route attaches to a parent, the controller that 8003 manages the parent must add an entry to this list when the controller 8004 first sees the route and should update the entry as appropriate when the 8005 route or gateway is modified. 8006 8007 8008 Note that parent references that cannot be resolved by an implementation 8009 of this API will not be added to this list. Implementations of this API 8010 can only populate Route status for the Gateways/parent resources they are 8011 responsible for. 8012 8013 8014 A maximum of 32 Gateways will be represented in this list. An empty list 8015 means the route has not been attached to any Gateway. 8016 items: 8017 description: |- 8018 RouteParentStatus describes the status of a route with respect to an 8019 associated Parent. 8020 properties: 8021 conditions: 8022 description: |- 8023 Conditions describes the status of the route with respect to the Gateway. 8024 Note that the route's availability is also subject to the Gateway's own 8025 status conditions and listener status. 8026 8027 8028 If the Route's ParentRef specifies an existing Gateway that supports 8029 Routes of this kind AND that Gateway's controller has sufficient access, 8030 then that Gateway's controller MUST set the "Accepted" condition on the 8031 Route, to indicate whether the route has been accepted or rejected by the 8032 Gateway, and why. 8033 8034 8035 A Route MUST be considered "Accepted" if at least one of the Route's 8036 rules is implemented by the Gateway. 8037 8038 8039 There are a number of cases where the "Accepted" condition may not be set 8040 due to lack of controller visibility, that includes when: 8041 8042 8043 * The Route refers to a non-existent parent. 8044 * The Route is of a type that the controller does not support. 8045 * The Route is in a namespace the controller does not have access to. 8046 items: 8047 description: "Condition contains details for one aspect of 8048 the current state of this API Resource.\n---\nThis struct 8049 is intended for direct use as an array at the field path 8050 .status.conditions. For example,\n\n\n\ttype FooStatus 8051 struct{\n\t // Represents the observations of a foo's 8052 current state.\n\t // Known .status.conditions.type are: 8053 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 8054 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 8055 +listType=map\n\t // +listMapKey=type\n\t Conditions 8056 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 8057 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 8058 \ // other fields\n\t}" 8059 properties: 8060 lastTransitionTime: 8061 description: |- 8062 lastTransitionTime is the last time the condition transitioned from one status to another. 8063 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 8064 format: date-time 8065 type: string 8066 message: 8067 description: |- 8068 message is a human readable message indicating details about the transition. 8069 This may be an empty string. 8070 maxLength: 32768 8071 type: string 8072 observedGeneration: 8073 description: |- 8074 observedGeneration represents the .metadata.generation that the condition was set based upon. 8075 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 8076 with respect to the current state of the instance. 8077 format: int64 8078 minimum: 0 8079 type: integer 8080 reason: 8081 description: |- 8082 reason contains a programmatic identifier indicating the reason for the condition's last transition. 8083 Producers of specific condition types may define expected values and meanings for this field, 8084 and whether the values are considered a guaranteed API. 8085 The value should be a CamelCase string. 8086 This field may not be empty. 8087 maxLength: 1024 8088 minLength: 1 8089 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 8090 type: string 8091 status: 8092 description: status of the condition, one of True, False, 8093 Unknown. 8094 enum: 8095 - "True" 8096 - "False" 8097 - Unknown 8098 type: string 8099 type: 8100 description: |- 8101 type of condition in CamelCase or in foo.example.com/CamelCase. 8102 --- 8103 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 8104 useful (see .node.status.conditions), the ability to deconflict is important. 8105 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 8106 maxLength: 316 8107 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 8108 type: string 8109 required: 8110 - lastTransitionTime 8111 - message 8112 - reason 8113 - status 8114 - type 8115 type: object 8116 maxItems: 8 8117 minItems: 1 8118 type: array 8119 x-kubernetes-list-map-keys: 8120 - type 8121 x-kubernetes-list-type: map 8122 controllerName: 8123 description: |- 8124 ControllerName is a domain/path string that indicates the name of the 8125 controller that wrote this status. This corresponds with the 8126 controllerName field on GatewayClass. 8127 8128 8129 Example: "example.net/gateway-controller". 8130 8131 8132 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 8133 valid Kubernetes names 8134 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 8135 8136 8137 Controllers MUST populate this field when writing status. Controllers should ensure that 8138 entries to status populated with their ControllerName are cleaned up when they are no 8139 longer necessary. 8140 maxLength: 253 8141 minLength: 1 8142 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 8143 type: string 8144 parentRef: 8145 description: |- 8146 ParentRef corresponds with a ParentRef in the spec that this 8147 RouteParentStatus struct describes the status of. 8148 properties: 8149 group: 8150 default: gateway.networking.k8s.io 8151 description: |- 8152 Group is the group of the referent. 8153 When unspecified, "gateway.networking.k8s.io" is inferred. 8154 To set the core API group (such as for a "Service" kind referent), 8155 Group must be explicitly set to "" (empty string). 8156 8157 8158 Support: Core 8159 maxLength: 253 8160 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8161 type: string 8162 kind: 8163 default: Gateway 8164 description: |- 8165 Kind is kind of the referent. 8166 8167 8168 There are two kinds of parent resources with "Core" support: 8169 8170 8171 * Gateway (Gateway conformance profile) 8172 * Service (Mesh conformance profile, ClusterIP Services only) 8173 8174 8175 Support for other resources is Implementation-Specific. 8176 maxLength: 63 8177 minLength: 1 8178 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 8179 type: string 8180 name: 8181 description: |- 8182 Name is the name of the referent. 8183 8184 8185 Support: Core 8186 maxLength: 253 8187 minLength: 1 8188 type: string 8189 namespace: 8190 description: |- 8191 Namespace is the namespace of the referent. When unspecified, this refers 8192 to the local namespace of the Route. 8193 8194 8195 Note that there are specific rules for ParentRefs which cross namespace 8196 boundaries. Cross-namespace references are only valid if they are explicitly 8197 allowed by something in the namespace they are referring to. For example: 8198 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 8199 generic way to enable any other kind of cross-namespace reference. 8200 8201 8202 8203 ParentRefs from a Route to a Service in the same namespace are "producer" 8204 routes, which apply default routing rules to inbound connections from 8205 any namespace to the Service. 8206 8207 8208 ParentRefs from a Route to a Service in a different namespace are 8209 "consumer" routes, and these routing rules are only applied to outbound 8210 connections originating from the same namespace as the Route, for which 8211 the intended destination of the connections are a Service targeted as a 8212 ParentRef of the Route. 8213 8214 8215 8216 Support: Core 8217 maxLength: 63 8218 minLength: 1 8219 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 8220 type: string 8221 port: 8222 description: |- 8223 Port is the network port this Route targets. It can be interpreted 8224 differently based on the type of parent resource. 8225 8226 8227 When the parent resource is a Gateway, this targets all listeners 8228 listening on the specified port that also support this kind of Route(and 8229 select this Route). It's not recommended to set `Port` unless the 8230 networking behaviors specified in a Route must apply to a specific port 8231 as opposed to a listener(s) whose port(s) may be changed. When both Port 8232 and SectionName are specified, the name and port of the selected listener 8233 must match both specified values. 8234 8235 8236 8237 When the parent resource is a Service, this targets a specific port in the 8238 Service spec. When both Port (experimental) and SectionName are specified, 8239 the name and port of the selected port must match both specified values. 8240 8241 8242 8243 Implementations MAY choose to support other parent resources. 8244 Implementations supporting other types of parent resources MUST clearly 8245 document how/if Port is interpreted. 8246 8247 8248 For the purpose of status, an attachment is considered successful as 8249 long as the parent resource accepts it partially. For example, Gateway 8250 listeners can restrict which Routes can attach to them by Route kind, 8251 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 8252 from the referencing Route, the Route MUST be considered successfully 8253 attached. If no Gateway listeners accept attachment from this Route, 8254 the Route MUST be considered detached from the Gateway. 8255 8256 8257 Support: Extended 8258 format: int32 8259 maximum: 65535 8260 minimum: 1 8261 type: integer 8262 sectionName: 8263 description: |- 8264 SectionName is the name of a section within the target resource. In the 8265 following resources, SectionName is interpreted as the following: 8266 8267 8268 * Gateway: Listener name. When both Port (experimental) and SectionName 8269 are specified, the name and port of the selected listener must match 8270 both specified values. 8271 * Service: Port name. When both Port (experimental) and SectionName 8272 are specified, the name and port of the selected listener must match 8273 both specified values. 8274 8275 8276 Implementations MAY choose to support attaching Routes to other resources. 8277 If that is the case, they MUST clearly document how SectionName is 8278 interpreted. 8279 8280 8281 When unspecified (empty string), this will reference the entire resource. 8282 For the purpose of status, an attachment is considered successful if at 8283 least one section in the parent resource accepts it. For example, Gateway 8284 listeners can restrict which Routes can attach to them by Route kind, 8285 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 8286 the referencing Route, the Route MUST be considered successfully 8287 attached. If no Gateway listeners accept attachment from this Route, the 8288 Route MUST be considered detached from the Gateway. 8289 8290 8291 Support: Core 8292 maxLength: 253 8293 minLength: 1 8294 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8295 type: string 8296 required: 8297 - name 8298 type: object 8299 required: 8300 - controllerName 8301 - parentRef 8302 type: object 8303 maxItems: 32 8304 type: array 8305 required: 8306 - parents 8307 type: object 8308 type: object 8309 served: true 8310 storage: false 8311 status: 8312 acceptedNames: 8313 kind: "" 8314 plural: "" 8315 conditions: null 8316 storedVersions: null 8317 --- 8318 apiVersion: apiextensions.k8s.io/v1 8319 kind: CustomResourceDefinition 8320 metadata: 8321 annotations: 8322 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 8323 gateway.networking.k8s.io/bundle-version: v1.1.0 8324 gateway.networking.k8s.io/channel: experimental 8325 creationTimestamp: null 8326 name: httproutes.gateway.networking.k8s.io 8327 spec: 8328 group: gateway.networking.k8s.io 8329 names: 8330 categories: 8331 - gateway-api 8332 kind: HTTPRoute 8333 listKind: HTTPRouteList 8334 plural: httproutes 8335 singular: httproute 8336 scope: Namespaced 8337 versions: 8338 - additionalPrinterColumns: 8339 - jsonPath: .spec.hostnames 8340 name: Hostnames 8341 type: string 8342 - jsonPath: .metadata.creationTimestamp 8343 name: Age 8344 type: date 8345 name: v1 8346 schema: 8347 openAPIV3Schema: 8348 description: |- 8349 HTTPRoute provides a way to route HTTP requests. This includes the capability 8350 to match requests by hostname, path, header, or query param. Filters can be 8351 used to specify additional processing steps. Backends specify where matching 8352 requests should be routed. 8353 properties: 8354 apiVersion: 8355 description: |- 8356 APIVersion defines the versioned schema of this representation of an object. 8357 Servers should convert recognized schemas to the latest internal value, and 8358 may reject unrecognized values. 8359 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 8360 type: string 8361 kind: 8362 description: |- 8363 Kind is a string value representing the REST resource this object represents. 8364 Servers may infer this from the endpoint the client submits requests to. 8365 Cannot be updated. 8366 In CamelCase. 8367 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 8368 type: string 8369 metadata: 8370 type: object 8371 spec: 8372 description: Spec defines the desired state of HTTPRoute. 8373 properties: 8374 hostnames: 8375 description: |- 8376 Hostnames defines a set of hostnames that should match against the HTTP Host 8377 header to select a HTTPRoute used to process the request. Implementations 8378 MUST ignore any port value specified in the HTTP Host header while 8379 performing a match and (absent of any applicable header modification 8380 configuration) MUST forward this header unmodified to the backend. 8381 8382 8383 Valid values for Hostnames are determined by RFC 1123 definition of a 8384 hostname with 2 notable exceptions: 8385 8386 8387 1. IPs are not allowed. 8388 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 8389 label must appear by itself as the first label. 8390 8391 8392 If a hostname is specified by both the Listener and HTTPRoute, there 8393 must be at least one intersecting hostname for the HTTPRoute to be 8394 attached to the Listener. For example: 8395 8396 8397 * A Listener with `test.example.com` as the hostname matches HTTPRoutes 8398 that have either not specified any hostnames, or have specified at 8399 least one of `test.example.com` or `*.example.com`. 8400 * A Listener with `*.example.com` as the hostname matches HTTPRoutes 8401 that have either not specified any hostnames or have specified at least 8402 one hostname that matches the Listener hostname. For example, 8403 `*.example.com`, `test.example.com`, and `foo.test.example.com` would 8404 all match. On the other hand, `example.com` and `test.example.net` would 8405 not match. 8406 8407 8408 Hostnames that are prefixed with a wildcard label (`*.`) are interpreted 8409 as a suffix match. That means that a match for `*.example.com` would match 8410 both `test.example.com`, and `foo.test.example.com`, but not `example.com`. 8411 8412 8413 If both the Listener and HTTPRoute have specified hostnames, any 8414 HTTPRoute hostnames that do not match the Listener hostname MUST be 8415 ignored. For example, if a Listener specified `*.example.com`, and the 8416 HTTPRoute specified `test.example.com` and `test.example.net`, 8417 `test.example.net` must not be considered for a match. 8418 8419 8420 If both the Listener and HTTPRoute have specified hostnames, and none 8421 match with the criteria above, then the HTTPRoute is not accepted. The 8422 implementation must raise an 'Accepted' Condition with a status of 8423 `False` in the corresponding RouteParentStatus. 8424 8425 8426 In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. 8427 overlapping wildcard matching and exact matching hostnames), precedence must 8428 be given to rules from the HTTPRoute with the largest number of: 8429 8430 8431 * Characters in a matching non-wildcard hostname. 8432 * Characters in a matching hostname. 8433 8434 8435 If ties exist across multiple Routes, the matching precedence rules for 8436 HTTPRouteMatches takes over. 8437 8438 8439 Support: Core 8440 items: 8441 description: |- 8442 Hostname is the fully qualified domain name of a network host. This matches 8443 the RFC 1123 definition of a hostname with 2 notable exceptions: 8444 8445 8446 1. IPs are not allowed. 8447 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 8448 label must appear by itself as the first label. 8449 8450 8451 Hostname can be "precise" which is a domain name without the terminating 8452 dot of a network host (e.g. "foo.example.com") or "wildcard", which is a 8453 domain name prefixed with a single wildcard label (e.g. `*.example.com`). 8454 8455 8456 Note that as per RFC1035 and RFC1123, a *label* must consist of lower case 8457 alphanumeric characters or '-', and must start and end with an alphanumeric 8458 character. No other punctuation is allowed. 8459 maxLength: 253 8460 minLength: 1 8461 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8462 type: string 8463 maxItems: 16 8464 type: array 8465 parentRefs: 8466 description: |+ 8467 ParentRefs references the resources (usually Gateways) that a Route wants 8468 to be attached to. Note that the referenced parent resource needs to 8469 allow this for the attachment to be complete. For Gateways, that means 8470 the Gateway needs to allow attachment from Routes of this kind and 8471 namespace. For Services, that means the Service must either be in the same 8472 namespace for a "producer" route, or the mesh implementation must support 8473 and allow "consumer" routes for the referenced Service. ReferenceGrant is 8474 not applicable for governing ParentRefs to Services - it is not possible to 8475 create a "producer" route for a Service in a different namespace from the 8476 Route. 8477 8478 8479 There are two kinds of parent resources with "Core" support: 8480 8481 8482 * Gateway (Gateway conformance profile) 8483 * Service (Mesh conformance profile, ClusterIP Services only) 8484 8485 8486 This API may be extended in the future to support additional kinds of parent 8487 resources. 8488 8489 8490 ParentRefs must be _distinct_. This means either that: 8491 8492 8493 * They select different objects. If this is the case, then parentRef 8494 entries are distinct. In terms of fields, this means that the 8495 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 8496 be unique across all parentRef entries in the Route. 8497 * They do not select different objects, but for each optional field used, 8498 each ParentRef that selects the same object must set the same set of 8499 optional fields to different values. If one ParentRef sets a 8500 combination of optional fields, all must set the same combination. 8501 8502 8503 Some examples: 8504 8505 8506 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 8507 same object must also set `sectionName`. 8508 * If one ParentRef sets `port`, all ParentRefs referencing the same 8509 object must also set `port`. 8510 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 8511 referencing the same object must also set `sectionName` and `port`. 8512 8513 8514 It is possible to separately reference multiple distinct objects that may 8515 be collapsed by an implementation. For example, some implementations may 8516 choose to merge compatible Gateway Listeners together. If that is the 8517 case, the list of routes attached to those resources should also be 8518 merged. 8519 8520 8521 Note that for ParentRefs that cross namespace boundaries, there are specific 8522 rules. Cross-namespace references are only valid if they are explicitly 8523 allowed by something in the namespace they are referring to. For example, 8524 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 8525 generic way to enable other kinds of cross-namespace reference. 8526 8527 8528 8529 ParentRefs from a Route to a Service in the same namespace are "producer" 8530 routes, which apply default routing rules to inbound connections from 8531 any namespace to the Service. 8532 8533 8534 ParentRefs from a Route to a Service in a different namespace are 8535 "consumer" routes, and these routing rules are only applied to outbound 8536 connections originating from the same namespace as the Route, for which 8537 the intended destination of the connections are a Service targeted as a 8538 ParentRef of the Route. 8539 8540 8541 8542 8543 8544 8545 items: 8546 description: |- 8547 ParentReference identifies an API object (usually a Gateway) that can be considered 8548 a parent of this resource (usually a route). There are two kinds of parent resources 8549 with "Core" support: 8550 8551 8552 * Gateway (Gateway conformance profile) 8553 * Service (Mesh conformance profile, ClusterIP Services only) 8554 8555 8556 This API may be extended in the future to support additional kinds of parent 8557 resources. 8558 8559 8560 The API object must be valid in the cluster; the Group and Kind must 8561 be registered in the cluster for this reference to be valid. 8562 properties: 8563 group: 8564 default: gateway.networking.k8s.io 8565 description: |- 8566 Group is the group of the referent. 8567 When unspecified, "gateway.networking.k8s.io" is inferred. 8568 To set the core API group (such as for a "Service" kind referent), 8569 Group must be explicitly set to "" (empty string). 8570 8571 8572 Support: Core 8573 maxLength: 253 8574 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8575 type: string 8576 kind: 8577 default: Gateway 8578 description: |- 8579 Kind is kind of the referent. 8580 8581 8582 There are two kinds of parent resources with "Core" support: 8583 8584 8585 * Gateway (Gateway conformance profile) 8586 * Service (Mesh conformance profile, ClusterIP Services only) 8587 8588 8589 Support for other resources is Implementation-Specific. 8590 maxLength: 63 8591 minLength: 1 8592 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 8593 type: string 8594 name: 8595 description: |- 8596 Name is the name of the referent. 8597 8598 8599 Support: Core 8600 maxLength: 253 8601 minLength: 1 8602 type: string 8603 namespace: 8604 description: |- 8605 Namespace is the namespace of the referent. When unspecified, this refers 8606 to the local namespace of the Route. 8607 8608 8609 Note that there are specific rules for ParentRefs which cross namespace 8610 boundaries. Cross-namespace references are only valid if they are explicitly 8611 allowed by something in the namespace they are referring to. For example: 8612 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 8613 generic way to enable any other kind of cross-namespace reference. 8614 8615 8616 8617 ParentRefs from a Route to a Service in the same namespace are "producer" 8618 routes, which apply default routing rules to inbound connections from 8619 any namespace to the Service. 8620 8621 8622 ParentRefs from a Route to a Service in a different namespace are 8623 "consumer" routes, and these routing rules are only applied to outbound 8624 connections originating from the same namespace as the Route, for which 8625 the intended destination of the connections are a Service targeted as a 8626 ParentRef of the Route. 8627 8628 8629 8630 Support: Core 8631 maxLength: 63 8632 minLength: 1 8633 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 8634 type: string 8635 port: 8636 description: |- 8637 Port is the network port this Route targets. It can be interpreted 8638 differently based on the type of parent resource. 8639 8640 8641 When the parent resource is a Gateway, this targets all listeners 8642 listening on the specified port that also support this kind of Route(and 8643 select this Route). It's not recommended to set `Port` unless the 8644 networking behaviors specified in a Route must apply to a specific port 8645 as opposed to a listener(s) whose port(s) may be changed. When both Port 8646 and SectionName are specified, the name and port of the selected listener 8647 must match both specified values. 8648 8649 8650 8651 When the parent resource is a Service, this targets a specific port in the 8652 Service spec. When both Port (experimental) and SectionName are specified, 8653 the name and port of the selected port must match both specified values. 8654 8655 8656 8657 Implementations MAY choose to support other parent resources. 8658 Implementations supporting other types of parent resources MUST clearly 8659 document how/if Port is interpreted. 8660 8661 8662 For the purpose of status, an attachment is considered successful as 8663 long as the parent resource accepts it partially. For example, Gateway 8664 listeners can restrict which Routes can attach to them by Route kind, 8665 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 8666 from the referencing Route, the Route MUST be considered successfully 8667 attached. If no Gateway listeners accept attachment from this Route, 8668 the Route MUST be considered detached from the Gateway. 8669 8670 8671 Support: Extended 8672 format: int32 8673 maximum: 65535 8674 minimum: 1 8675 type: integer 8676 sectionName: 8677 description: |- 8678 SectionName is the name of a section within the target resource. In the 8679 following resources, SectionName is interpreted as the following: 8680 8681 8682 * Gateway: Listener name. When both Port (experimental) and SectionName 8683 are specified, the name and port of the selected listener must match 8684 both specified values. 8685 * Service: Port name. When both Port (experimental) and SectionName 8686 are specified, the name and port of the selected listener must match 8687 both specified values. 8688 8689 8690 Implementations MAY choose to support attaching Routes to other resources. 8691 If that is the case, they MUST clearly document how SectionName is 8692 interpreted. 8693 8694 8695 When unspecified (empty string), this will reference the entire resource. 8696 For the purpose of status, an attachment is considered successful if at 8697 least one section in the parent resource accepts it. For example, Gateway 8698 listeners can restrict which Routes can attach to them by Route kind, 8699 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 8700 the referencing Route, the Route MUST be considered successfully 8701 attached. If no Gateway listeners accept attachment from this Route, the 8702 Route MUST be considered detached from the Gateway. 8703 8704 8705 Support: Core 8706 maxLength: 253 8707 minLength: 1 8708 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8709 type: string 8710 required: 8711 - name 8712 type: object 8713 maxItems: 32 8714 type: array 8715 x-kubernetes-validations: 8716 - message: sectionName or port must be specified when parentRefs includes 8717 2 or more references to the same parent 8718 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 8719 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 8720 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 8721 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 8722 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 8723 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 8724 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 8725 || p2.port == 0)): true))' 8726 - message: sectionName or port must be unique when parentRefs includes 8727 2 or more references to the same parent 8728 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 8729 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 8730 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 8731 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 8732 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 8733 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 8734 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 8735 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 8736 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 8737 == p2.port)))) 8738 rules: 8739 default: 8740 - matches: 8741 - path: 8742 type: PathPrefix 8743 value: / 8744 description: Rules are a list of HTTP matchers, filters and actions. 8745 items: 8746 description: |- 8747 HTTPRouteRule defines semantics for matching an HTTP request based on 8748 conditions (matches), processing it (filters), and forwarding the request to 8749 an API object (backendRefs). 8750 properties: 8751 backendRefs: 8752 description: |- 8753 BackendRefs defines the backend(s) where matching requests should be 8754 sent. 8755 8756 8757 Failure behavior here depends on how many BackendRefs are specified and 8758 how many are invalid. 8759 8760 8761 If *all* entries in BackendRefs are invalid, and there are also no filters 8762 specified in this route rule, *all* traffic which matches this rule MUST 8763 receive a 500 status code. 8764 8765 8766 See the HTTPBackendRef definition for the rules about what makes a single 8767 HTTPBackendRef invalid. 8768 8769 8770 When a HTTPBackendRef is invalid, 500 status codes MUST be returned for 8771 requests that would have otherwise been routed to an invalid backend. If 8772 multiple backends are specified, and some are invalid, the proportion of 8773 requests that would otherwise have been routed to an invalid backend 8774 MUST receive a 500 status code. 8775 8776 8777 For example, if two backends are specified with equal weights, and one is 8778 invalid, 50 percent of traffic must receive a 500. Implementations may 8779 choose how that 50 percent is determined. 8780 8781 8782 Support: Core for Kubernetes Service 8783 8784 8785 Support: Extended for Kubernetes ServiceImport 8786 8787 8788 Support: Implementation-specific for any other resource 8789 8790 8791 Support for weight: Core 8792 items: 8793 description: |- 8794 HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. 8795 8796 8797 Note that when a namespace different than the local namespace is specified, a 8798 ReferenceGrant object is required in the referent namespace to allow that 8799 namespace's owner to accept the reference. See the ReferenceGrant 8800 documentation for details. 8801 8802 8803 <gateway:experimental:description> 8804 8805 8806 When the BackendRef points to a Kubernetes Service, implementations SHOULD 8807 honor the appProtocol field if it is set for the target Service Port. 8808 8809 8810 Implementations supporting appProtocol SHOULD recognize the Kubernetes 8811 Standard Application Protocols defined in KEP-3726. 8812 8813 8814 If a Service appProtocol isn't specified, an implementation MAY infer the 8815 backend protocol through its own means. Implementations MAY infer the 8816 protocol from the Route type referring to the backend Service. 8817 8818 8819 If a Route is not able to send traffic to the backend using the specified 8820 protocol then the backend is considered invalid. Implementations MUST set the 8821 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 8822 8823 8824 </gateway:experimental:description> 8825 properties: 8826 filters: 8827 description: |- 8828 Filters defined at this level should be executed if and only if the 8829 request is being forwarded to the backend defined here. 8830 8831 8832 Support: Implementation-specific (For broader support of filters, use the 8833 Filters field in HTTPRouteRule.) 8834 items: 8835 description: |- 8836 HTTPRouteFilter defines processing steps that must be completed during the 8837 request or response lifecycle. HTTPRouteFilters are meant as an extension 8838 point to express processing that may be done in Gateway implementations. Some 8839 examples include request or response modification, implementing 8840 authentication strategies, rate-limiting, and traffic shaping. API 8841 guarantee/conformance is defined based on the type of the filter. 8842 properties: 8843 extensionRef: 8844 description: |- 8845 ExtensionRef is an optional, implementation-specific extension to the 8846 "filter" behavior. For example, resource "myroutefilter" in group 8847 "networking.example.net"). ExtensionRef MUST NOT be used for core and 8848 extended filters. 8849 8850 8851 This filter can be used multiple times within the same rule. 8852 8853 8854 Support: Implementation-specific 8855 properties: 8856 group: 8857 description: |- 8858 Group is the group of the referent. For example, "gateway.networking.k8s.io". 8859 When unspecified or empty string, core API group is inferred. 8860 maxLength: 253 8861 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8862 type: string 8863 kind: 8864 description: Kind is kind of the referent. For 8865 example "HTTPRoute" or "Service". 8866 maxLength: 63 8867 minLength: 1 8868 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 8869 type: string 8870 name: 8871 description: Name is the name of the referent. 8872 maxLength: 253 8873 minLength: 1 8874 type: string 8875 required: 8876 - group 8877 - kind 8878 - name 8879 type: object 8880 requestHeaderModifier: 8881 description: |- 8882 RequestHeaderModifier defines a schema for a filter that modifies request 8883 headers. 8884 8885 8886 Support: Core 8887 properties: 8888 add: 8889 description: |- 8890 Add adds the given header(s) (name, value) to the request 8891 before the action. It appends to any existing values associated 8892 with the header name. 8893 8894 8895 Input: 8896 GET /foo HTTP/1.1 8897 my-header: foo 8898 8899 8900 Config: 8901 add: 8902 - name: "my-header" 8903 value: "bar,baz" 8904 8905 8906 Output: 8907 GET /foo HTTP/1.1 8908 my-header: foo,bar,baz 8909 items: 8910 description: HTTPHeader represents an HTTP 8911 Header name and value as defined by RFC 8912 7230. 8913 properties: 8914 name: 8915 description: |- 8916 Name is the name of the HTTP Header to be matched. Name matching MUST be 8917 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 8918 8919 8920 If multiple entries specify equivalent header names, the first entry with 8921 an equivalent name MUST be considered for a match. Subsequent entries 8922 with an equivalent header name MUST be ignored. Due to the 8923 case-insensitivity of header names, "foo" and "Foo" are considered 8924 equivalent. 8925 maxLength: 256 8926 minLength: 1 8927 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 8928 type: string 8929 value: 8930 description: Value is the value of HTTP 8931 Header to be matched. 8932 maxLength: 4096 8933 minLength: 1 8934 type: string 8935 required: 8936 - name 8937 - value 8938 type: object 8939 maxItems: 16 8940 type: array 8941 x-kubernetes-list-map-keys: 8942 - name 8943 x-kubernetes-list-type: map 8944 remove: 8945 description: |- 8946 Remove the given header(s) from the HTTP request before the action. The 8947 value of Remove is a list of HTTP header names. Note that the header 8948 names are case-insensitive (see 8949 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 8950 8951 8952 Input: 8953 GET /foo HTTP/1.1 8954 my-header1: foo 8955 my-header2: bar 8956 my-header3: baz 8957 8958 8959 Config: 8960 remove: ["my-header1", "my-header3"] 8961 8962 8963 Output: 8964 GET /foo HTTP/1.1 8965 my-header2: bar 8966 items: 8967 type: string 8968 maxItems: 16 8969 type: array 8970 x-kubernetes-list-type: set 8971 set: 8972 description: |- 8973 Set overwrites the request with the given header (name, value) 8974 before the action. 8975 8976 8977 Input: 8978 GET /foo HTTP/1.1 8979 my-header: foo 8980 8981 8982 Config: 8983 set: 8984 - name: "my-header" 8985 value: "bar" 8986 8987 8988 Output: 8989 GET /foo HTTP/1.1 8990 my-header: bar 8991 items: 8992 description: HTTPHeader represents an HTTP 8993 Header name and value as defined by RFC 8994 7230. 8995 properties: 8996 name: 8997 description: |- 8998 Name is the name of the HTTP Header to be matched. Name matching MUST be 8999 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 9000 9001 9002 If multiple entries specify equivalent header names, the first entry with 9003 an equivalent name MUST be considered for a match. Subsequent entries 9004 with an equivalent header name MUST be ignored. Due to the 9005 case-insensitivity of header names, "foo" and "Foo" are considered 9006 equivalent. 9007 maxLength: 256 9008 minLength: 1 9009 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 9010 type: string 9011 value: 9012 description: Value is the value of HTTP 9013 Header to be matched. 9014 maxLength: 4096 9015 minLength: 1 9016 type: string 9017 required: 9018 - name 9019 - value 9020 type: object 9021 maxItems: 16 9022 type: array 9023 x-kubernetes-list-map-keys: 9024 - name 9025 x-kubernetes-list-type: map 9026 type: object 9027 requestMirror: 9028 description: |- 9029 RequestMirror defines a schema for a filter that mirrors requests. 9030 Requests are sent to the specified destination, but responses from 9031 that destination are ignored. 9032 9033 9034 This filter can be used multiple times within the same rule. Note that 9035 not all implementations will be able to support mirroring to multiple 9036 backends. 9037 9038 9039 Support: Extended 9040 properties: 9041 backendRef: 9042 description: |- 9043 BackendRef references a resource where mirrored requests are sent. 9044 9045 9046 Mirrored requests must be sent only to a single destination endpoint 9047 within this BackendRef, irrespective of how many endpoints are present 9048 within this BackendRef. 9049 9050 9051 If the referent cannot be found, this BackendRef is invalid and must be 9052 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 9053 condition on the Route status is set to `status: False` and not configure 9054 this backend in the underlying implementation. 9055 9056 9057 If there is a cross-namespace reference to an *existing* object 9058 that is not allowed by a ReferenceGrant, the controller must ensure the 9059 "ResolvedRefs" condition on the Route is set to `status: False`, 9060 with the "RefNotPermitted" reason and not configure this backend in the 9061 underlying implementation. 9062 9063 9064 In either error case, the Message of the `ResolvedRefs` Condition 9065 should be used to provide more detail about the problem. 9066 9067 9068 Support: Extended for Kubernetes Service 9069 9070 9071 Support: Implementation-specific for any other resource 9072 properties: 9073 group: 9074 default: "" 9075 description: |- 9076 Group is the group of the referent. For example, "gateway.networking.k8s.io". 9077 When unspecified or empty string, core API group is inferred. 9078 maxLength: 253 9079 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 9080 type: string 9081 kind: 9082 default: Service 9083 description: |- 9084 Kind is the Kubernetes resource kind of the referent. For example 9085 "Service". 9086 9087 9088 Defaults to "Service" when not specified. 9089 9090 9091 ExternalName services can refer to CNAME DNS records that may live 9092 outside of the cluster and as such are difficult to reason about in 9093 terms of conformance. They also may not be safe to forward to (see 9094 CVE-2021-25740 for more information). Implementations SHOULD NOT 9095 support ExternalName Services. 9096 9097 9098 Support: Core (Services with a type other than ExternalName) 9099 9100 9101 Support: Implementation-specific (Services with type ExternalName) 9102 maxLength: 63 9103 minLength: 1 9104 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 9105 type: string 9106 name: 9107 description: Name is the name of the referent. 9108 maxLength: 253 9109 minLength: 1 9110 type: string 9111 namespace: 9112 description: |- 9113 Namespace is the namespace of the backend. When unspecified, the local 9114 namespace is inferred. 9115 9116 9117 Note that when a namespace different than the local namespace is specified, 9118 a ReferenceGrant object is required in the referent namespace to allow that 9119 namespace's owner to accept the reference. See the ReferenceGrant 9120 documentation for details. 9121 9122 9123 Support: Core 9124 maxLength: 63 9125 minLength: 1 9126 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 9127 type: string 9128 port: 9129 description: |- 9130 Port specifies the destination port number to use for this resource. 9131 Port is required when the referent is a Kubernetes Service. In this 9132 case, the port number is the service port number, not the target port. 9133 For other resources, destination port might be derived from the referent 9134 resource or this field. 9135 format: int32 9136 maximum: 65535 9137 minimum: 1 9138 type: integer 9139 required: 9140 - name 9141 type: object 9142 x-kubernetes-validations: 9143 - message: Must have port for Service reference 9144 rule: '(size(self.group) == 0 && self.kind 9145 == ''Service'') ? has(self.port) : true' 9146 required: 9147 - backendRef 9148 type: object 9149 requestRedirect: 9150 description: |- 9151 RequestRedirect defines a schema for a filter that responds to the 9152 request with an HTTP redirection. 9153 9154 9155 Support: Core 9156 properties: 9157 hostname: 9158 description: |- 9159 Hostname is the hostname to be used in the value of the `Location` 9160 header in the response. 9161 When empty, the hostname in the `Host` header of the request is used. 9162 9163 9164 Support: Core 9165 maxLength: 253 9166 minLength: 1 9167 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 9168 type: string 9169 path: 9170 description: |- 9171 Path defines parameters used to modify the path of the incoming request. 9172 The modified path is then used to construct the `Location` header. When 9173 empty, the request path is used as-is. 9174 9175 9176 Support: Extended 9177 properties: 9178 replaceFullPath: 9179 description: |- 9180 ReplaceFullPath specifies the value with which to replace the full path 9181 of a request during a rewrite or redirect. 9182 maxLength: 1024 9183 type: string 9184 replacePrefixMatch: 9185 description: |- 9186 ReplacePrefixMatch specifies the value with which to replace the prefix 9187 match of a request during a rewrite or redirect. For example, a request 9188 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 9189 of "/xyz" would be modified to "/xyz/bar". 9190 9191 9192 Note that this matches the behavior of the PathPrefix match type. This 9193 matches full path elements. A path element refers to the list of labels 9194 in the path split by the `/` separator. When specified, a trailing `/` is 9195 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 9196 match the prefix `/abc`, but the path `/abcd` would not. 9197 9198 9199 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 9200 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 9201 the implementation setting the Accepted Condition for the Route to `status: False`. 9202 9203 9204 Request Path | Prefix Match | Replace Prefix | Modified Path 9205 -------------|--------------|----------------|---------- 9206 /foo/bar | /foo | /xyz | /xyz/bar 9207 /foo/bar | /foo | /xyz/ | /xyz/bar 9208 /foo/bar | /foo/ | /xyz | /xyz/bar 9209 /foo/bar | /foo/ | /xyz/ | /xyz/bar 9210 /foo | /foo | /xyz | /xyz 9211 /foo/ | /foo | /xyz | /xyz/ 9212 /foo/bar | /foo | <empty string> | /bar 9213 /foo/ | /foo | <empty string> | / 9214 /foo | /foo | <empty string> | / 9215 /foo/ | /foo | / | / 9216 /foo | /foo | / | / 9217 maxLength: 1024 9218 type: string 9219 type: 9220 description: |- 9221 Type defines the type of path modifier. Additional types may be 9222 added in a future release of the API. 9223 9224 9225 Note that values may be added to this enum, implementations 9226 must ensure that unknown values will not cause a crash. 9227 9228 9229 Unknown values here must result in the implementation setting the 9230 Accepted Condition for the Route to `status: False`, with a 9231 Reason of `UnsupportedValue`. 9232 enum: 9233 - ReplaceFullPath 9234 - ReplacePrefixMatch 9235 type: string 9236 required: 9237 - type 9238 type: object 9239 x-kubernetes-validations: 9240 - message: replaceFullPath must be specified 9241 when type is set to 'ReplaceFullPath' 9242 rule: 'self.type == ''ReplaceFullPath'' ? 9243 has(self.replaceFullPath) : true' 9244 - message: type must be 'ReplaceFullPath' when 9245 replaceFullPath is set 9246 rule: 'has(self.replaceFullPath) ? self.type 9247 == ''ReplaceFullPath'' : true' 9248 - message: replacePrefixMatch must be specified 9249 when type is set to 'ReplacePrefixMatch' 9250 rule: 'self.type == ''ReplacePrefixMatch'' 9251 ? has(self.replacePrefixMatch) : true' 9252 - message: type must be 'ReplacePrefixMatch' 9253 when replacePrefixMatch is set 9254 rule: 'has(self.replacePrefixMatch) ? self.type 9255 == ''ReplacePrefixMatch'' : true' 9256 port: 9257 description: |- 9258 Port is the port to be used in the value of the `Location` 9259 header in the response. 9260 9261 9262 If no port is specified, the redirect port MUST be derived using the 9263 following rules: 9264 9265 9266 * If redirect scheme is not-empty, the redirect port MUST be the well-known 9267 port associated with the redirect scheme. Specifically "http" to port 80 9268 and "https" to port 443. If the redirect scheme does not have a 9269 well-known port, the listener port of the Gateway SHOULD be used. 9270 * If redirect scheme is empty, the redirect port MUST be the Gateway 9271 Listener port. 9272 9273 9274 Implementations SHOULD NOT add the port number in the 'Location' 9275 header in the following cases: 9276 9277 9278 * A Location header that will use HTTP (whether that is determined via 9279 the Listener protocol or the Scheme field) _and_ use port 80. 9280 * A Location header that will use HTTPS (whether that is determined via 9281 the Listener protocol or the Scheme field) _and_ use port 443. 9282 9283 9284 Support: Extended 9285 format: int32 9286 maximum: 65535 9287 minimum: 1 9288 type: integer 9289 scheme: 9290 description: |- 9291 Scheme is the scheme to be used in the value of the `Location` header in 9292 the response. When empty, the scheme of the request is used. 9293 9294 9295 Scheme redirects can affect the port of the redirect, for more information, 9296 refer to the documentation for the port field of this filter. 9297 9298 9299 Note that values may be added to this enum, implementations 9300 must ensure that unknown values will not cause a crash. 9301 9302 9303 Unknown values here must result in the implementation setting the 9304 Accepted Condition for the Route to `status: False`, with a 9305 Reason of `UnsupportedValue`. 9306 9307 9308 Support: Extended 9309 enum: 9310 - http 9311 - https 9312 type: string 9313 statusCode: 9314 default: 302 9315 description: |- 9316 StatusCode is the HTTP status code to be used in response. 9317 9318 9319 Note that values may be added to this enum, implementations 9320 must ensure that unknown values will not cause a crash. 9321 9322 9323 Unknown values here must result in the implementation setting the 9324 Accepted Condition for the Route to `status: False`, with a 9325 Reason of `UnsupportedValue`. 9326 9327 9328 Support: Core 9329 enum: 9330 - 301 9331 - 302 9332 type: integer 9333 type: object 9334 responseHeaderModifier: 9335 description: |- 9336 ResponseHeaderModifier defines a schema for a filter that modifies response 9337 headers. 9338 9339 9340 Support: Extended 9341 properties: 9342 add: 9343 description: |- 9344 Add adds the given header(s) (name, value) to the request 9345 before the action. It appends to any existing values associated 9346 with the header name. 9347 9348 9349 Input: 9350 GET /foo HTTP/1.1 9351 my-header: foo 9352 9353 9354 Config: 9355 add: 9356 - name: "my-header" 9357 value: "bar,baz" 9358 9359 9360 Output: 9361 GET /foo HTTP/1.1 9362 my-header: foo,bar,baz 9363 items: 9364 description: HTTPHeader represents an HTTP 9365 Header name and value as defined by RFC 9366 7230. 9367 properties: 9368 name: 9369 description: |- 9370 Name is the name of the HTTP Header to be matched. Name matching MUST be 9371 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 9372 9373 9374 If multiple entries specify equivalent header names, the first entry with 9375 an equivalent name MUST be considered for a match. Subsequent entries 9376 with an equivalent header name MUST be ignored. Due to the 9377 case-insensitivity of header names, "foo" and "Foo" are considered 9378 equivalent. 9379 maxLength: 256 9380 minLength: 1 9381 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 9382 type: string 9383 value: 9384 description: Value is the value of HTTP 9385 Header to be matched. 9386 maxLength: 4096 9387 minLength: 1 9388 type: string 9389 required: 9390 - name 9391 - value 9392 type: object 9393 maxItems: 16 9394 type: array 9395 x-kubernetes-list-map-keys: 9396 - name 9397 x-kubernetes-list-type: map 9398 remove: 9399 description: |- 9400 Remove the given header(s) from the HTTP request before the action. The 9401 value of Remove is a list of HTTP header names. Note that the header 9402 names are case-insensitive (see 9403 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 9404 9405 9406 Input: 9407 GET /foo HTTP/1.1 9408 my-header1: foo 9409 my-header2: bar 9410 my-header3: baz 9411 9412 9413 Config: 9414 remove: ["my-header1", "my-header3"] 9415 9416 9417 Output: 9418 GET /foo HTTP/1.1 9419 my-header2: bar 9420 items: 9421 type: string 9422 maxItems: 16 9423 type: array 9424 x-kubernetes-list-type: set 9425 set: 9426 description: |- 9427 Set overwrites the request with the given header (name, value) 9428 before the action. 9429 9430 9431 Input: 9432 GET /foo HTTP/1.1 9433 my-header: foo 9434 9435 9436 Config: 9437 set: 9438 - name: "my-header" 9439 value: "bar" 9440 9441 9442 Output: 9443 GET /foo HTTP/1.1 9444 my-header: bar 9445 items: 9446 description: HTTPHeader represents an HTTP 9447 Header name and value as defined by RFC 9448 7230. 9449 properties: 9450 name: 9451 description: |- 9452 Name is the name of the HTTP Header to be matched. Name matching MUST be 9453 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 9454 9455 9456 If multiple entries specify equivalent header names, the first entry with 9457 an equivalent name MUST be considered for a match. Subsequent entries 9458 with an equivalent header name MUST be ignored. Due to the 9459 case-insensitivity of header names, "foo" and "Foo" are considered 9460 equivalent. 9461 maxLength: 256 9462 minLength: 1 9463 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 9464 type: string 9465 value: 9466 description: Value is the value of HTTP 9467 Header to be matched. 9468 maxLength: 4096 9469 minLength: 1 9470 type: string 9471 required: 9472 - name 9473 - value 9474 type: object 9475 maxItems: 16 9476 type: array 9477 x-kubernetes-list-map-keys: 9478 - name 9479 x-kubernetes-list-type: map 9480 type: object 9481 type: 9482 description: |- 9483 Type identifies the type of filter to apply. As with other API fields, 9484 types are classified into three conformance levels: 9485 9486 9487 - Core: Filter types and their corresponding configuration defined by 9488 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 9489 implementations must support core filters. 9490 9491 9492 - Extended: Filter types and their corresponding configuration defined by 9493 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 9494 are encouraged to support extended filters. 9495 9496 9497 - Implementation-specific: Filters that are defined and supported by 9498 specific vendors. 9499 In the future, filters showing convergence in behavior across multiple 9500 implementations will be considered for inclusion in extended or core 9501 conformance levels. Filter-specific configuration for such filters 9502 is specified using the ExtensionRef field. `Type` should be set to 9503 "ExtensionRef" for custom filters. 9504 9505 9506 Implementers are encouraged to define custom implementation types to 9507 extend the core API with implementation-specific behavior. 9508 9509 9510 If a reference to a custom filter type cannot be resolved, the filter 9511 MUST NOT be skipped. Instead, requests that would have been processed by 9512 that filter MUST receive a HTTP error response. 9513 9514 9515 Note that values may be added to this enum, implementations 9516 must ensure that unknown values will not cause a crash. 9517 9518 9519 Unknown values here must result in the implementation setting the 9520 Accepted Condition for the Route to `status: False`, with a 9521 Reason of `UnsupportedValue`. 9522 enum: 9523 - RequestHeaderModifier 9524 - ResponseHeaderModifier 9525 - RequestMirror 9526 - RequestRedirect 9527 - URLRewrite 9528 - ExtensionRef 9529 type: string 9530 urlRewrite: 9531 description: |- 9532 URLRewrite defines a schema for a filter that modifies a request during forwarding. 9533 9534 9535 Support: Extended 9536 properties: 9537 hostname: 9538 description: |- 9539 Hostname is the value to be used to replace the Host header value during 9540 forwarding. 9541 9542 9543 Support: Extended 9544 maxLength: 253 9545 minLength: 1 9546 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 9547 type: string 9548 path: 9549 description: |- 9550 Path defines a path rewrite. 9551 9552 9553 Support: Extended 9554 properties: 9555 replaceFullPath: 9556 description: |- 9557 ReplaceFullPath specifies the value with which to replace the full path 9558 of a request during a rewrite or redirect. 9559 maxLength: 1024 9560 type: string 9561 replacePrefixMatch: 9562 description: |- 9563 ReplacePrefixMatch specifies the value with which to replace the prefix 9564 match of a request during a rewrite or redirect. For example, a request 9565 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 9566 of "/xyz" would be modified to "/xyz/bar". 9567 9568 9569 Note that this matches the behavior of the PathPrefix match type. This 9570 matches full path elements. A path element refers to the list of labels 9571 in the path split by the `/` separator. When specified, a trailing `/` is 9572 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 9573 match the prefix `/abc`, but the path `/abcd` would not. 9574 9575 9576 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 9577 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 9578 the implementation setting the Accepted Condition for the Route to `status: False`. 9579 9580 9581 Request Path | Prefix Match | Replace Prefix | Modified Path 9582 -------------|--------------|----------------|---------- 9583 /foo/bar | /foo | /xyz | /xyz/bar 9584 /foo/bar | /foo | /xyz/ | /xyz/bar 9585 /foo/bar | /foo/ | /xyz | /xyz/bar 9586 /foo/bar | /foo/ | /xyz/ | /xyz/bar 9587 /foo | /foo | /xyz | /xyz 9588 /foo/ | /foo | /xyz | /xyz/ 9589 /foo/bar | /foo | <empty string> | /bar 9590 /foo/ | /foo | <empty string> | / 9591 /foo | /foo | <empty string> | / 9592 /foo/ | /foo | / | / 9593 /foo | /foo | / | / 9594 maxLength: 1024 9595 type: string 9596 type: 9597 description: |- 9598 Type defines the type of path modifier. Additional types may be 9599 added in a future release of the API. 9600 9601 9602 Note that values may be added to this enum, implementations 9603 must ensure that unknown values will not cause a crash. 9604 9605 9606 Unknown values here must result in the implementation setting the 9607 Accepted Condition for the Route to `status: False`, with a 9608 Reason of `UnsupportedValue`. 9609 enum: 9610 - ReplaceFullPath 9611 - ReplacePrefixMatch 9612 type: string 9613 required: 9614 - type 9615 type: object 9616 x-kubernetes-validations: 9617 - message: replaceFullPath must be specified 9618 when type is set to 'ReplaceFullPath' 9619 rule: 'self.type == ''ReplaceFullPath'' ? 9620 has(self.replaceFullPath) : true' 9621 - message: type must be 'ReplaceFullPath' when 9622 replaceFullPath is set 9623 rule: 'has(self.replaceFullPath) ? self.type 9624 == ''ReplaceFullPath'' : true' 9625 - message: replacePrefixMatch must be specified 9626 when type is set to 'ReplacePrefixMatch' 9627 rule: 'self.type == ''ReplacePrefixMatch'' 9628 ? has(self.replacePrefixMatch) : true' 9629 - message: type must be 'ReplacePrefixMatch' 9630 when replacePrefixMatch is set 9631 rule: 'has(self.replacePrefixMatch) ? self.type 9632 == ''ReplacePrefixMatch'' : true' 9633 type: object 9634 required: 9635 - type 9636 type: object 9637 x-kubernetes-validations: 9638 - message: filter.requestHeaderModifier must be nil 9639 if the filter.type is not RequestHeaderModifier 9640 rule: '!(has(self.requestHeaderModifier) && self.type 9641 != ''RequestHeaderModifier'')' 9642 - message: filter.requestHeaderModifier must be specified 9643 for RequestHeaderModifier filter.type 9644 rule: '!(!has(self.requestHeaderModifier) && self.type 9645 == ''RequestHeaderModifier'')' 9646 - message: filter.responseHeaderModifier must be nil 9647 if the filter.type is not ResponseHeaderModifier 9648 rule: '!(has(self.responseHeaderModifier) && self.type 9649 != ''ResponseHeaderModifier'')' 9650 - message: filter.responseHeaderModifier must be specified 9651 for ResponseHeaderModifier filter.type 9652 rule: '!(!has(self.responseHeaderModifier) && self.type 9653 == ''ResponseHeaderModifier'')' 9654 - message: filter.requestMirror must be nil if the filter.type 9655 is not RequestMirror 9656 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 9657 - message: filter.requestMirror must be specified for 9658 RequestMirror filter.type 9659 rule: '!(!has(self.requestMirror) && self.type == 9660 ''RequestMirror'')' 9661 - message: filter.requestRedirect must be nil if the 9662 filter.type is not RequestRedirect 9663 rule: '!(has(self.requestRedirect) && self.type != 9664 ''RequestRedirect'')' 9665 - message: filter.requestRedirect must be specified 9666 for RequestRedirect filter.type 9667 rule: '!(!has(self.requestRedirect) && self.type == 9668 ''RequestRedirect'')' 9669 - message: filter.urlRewrite must be nil if the filter.type 9670 is not URLRewrite 9671 rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' 9672 - message: filter.urlRewrite must be specified for URLRewrite 9673 filter.type 9674 rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' 9675 - message: filter.extensionRef must be nil if the filter.type 9676 is not ExtensionRef 9677 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 9678 - message: filter.extensionRef must be specified for 9679 ExtensionRef filter.type 9680 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 9681 maxItems: 16 9682 type: array 9683 x-kubernetes-validations: 9684 - message: May specify either httpRouteFilterRequestRedirect 9685 or httpRouteFilterRequestRewrite, but not both 9686 rule: '!(self.exists(f, f.type == ''RequestRedirect'') 9687 && self.exists(f, f.type == ''URLRewrite''))' 9688 - message: May specify either httpRouteFilterRequestRedirect 9689 or httpRouteFilterRequestRewrite, but not both 9690 rule: '!(self.exists(f, f.type == ''RequestRedirect'') 9691 && self.exists(f, f.type == ''URLRewrite''))' 9692 - message: RequestHeaderModifier filter cannot be repeated 9693 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 9694 <= 1 9695 - message: ResponseHeaderModifier filter cannot be repeated 9696 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 9697 <= 1 9698 - message: RequestRedirect filter cannot be repeated 9699 rule: self.filter(f, f.type == 'RequestRedirect').size() 9700 <= 1 9701 - message: URLRewrite filter cannot be repeated 9702 rule: self.filter(f, f.type == 'URLRewrite').size() 9703 <= 1 9704 group: 9705 default: "" 9706 description: |- 9707 Group is the group of the referent. For example, "gateway.networking.k8s.io". 9708 When unspecified or empty string, core API group is inferred. 9709 maxLength: 253 9710 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 9711 type: string 9712 kind: 9713 default: Service 9714 description: |- 9715 Kind is the Kubernetes resource kind of the referent. For example 9716 "Service". 9717 9718 9719 Defaults to "Service" when not specified. 9720 9721 9722 ExternalName services can refer to CNAME DNS records that may live 9723 outside of the cluster and as such are difficult to reason about in 9724 terms of conformance. They also may not be safe to forward to (see 9725 CVE-2021-25740 for more information). Implementations SHOULD NOT 9726 support ExternalName Services. 9727 9728 9729 Support: Core (Services with a type other than ExternalName) 9730 9731 9732 Support: Implementation-specific (Services with type ExternalName) 9733 maxLength: 63 9734 minLength: 1 9735 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 9736 type: string 9737 name: 9738 description: Name is the name of the referent. 9739 maxLength: 253 9740 minLength: 1 9741 type: string 9742 namespace: 9743 description: |- 9744 Namespace is the namespace of the backend. When unspecified, the local 9745 namespace is inferred. 9746 9747 9748 Note that when a namespace different than the local namespace is specified, 9749 a ReferenceGrant object is required in the referent namespace to allow that 9750 namespace's owner to accept the reference. See the ReferenceGrant 9751 documentation for details. 9752 9753 9754 Support: Core 9755 maxLength: 63 9756 minLength: 1 9757 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 9758 type: string 9759 port: 9760 description: |- 9761 Port specifies the destination port number to use for this resource. 9762 Port is required when the referent is a Kubernetes Service. In this 9763 case, the port number is the service port number, not the target port. 9764 For other resources, destination port might be derived from the referent 9765 resource or this field. 9766 format: int32 9767 maximum: 65535 9768 minimum: 1 9769 type: integer 9770 weight: 9771 default: 1 9772 description: |- 9773 Weight specifies the proportion of requests forwarded to the referenced 9774 backend. This is computed as weight/(sum of all weights in this 9775 BackendRefs list). For non-zero values, there may be some epsilon from 9776 the exact proportion defined here depending on the precision an 9777 implementation supports. Weight is not a percentage and the sum of 9778 weights does not need to equal 100. 9779 9780 9781 If only one backend is specified and it has a weight greater than 0, 100% 9782 of the traffic is forwarded to that backend. If weight is set to 0, no 9783 traffic should be forwarded for this entry. If unspecified, weight 9784 defaults to 1. 9785 9786 9787 Support for this field varies based on the context where used. 9788 format: int32 9789 maximum: 1000000 9790 minimum: 0 9791 type: integer 9792 required: 9793 - name 9794 type: object 9795 x-kubernetes-validations: 9796 - message: Must have port for Service reference 9797 rule: '(size(self.group) == 0 && self.kind == ''Service'') 9798 ? has(self.port) : true' 9799 maxItems: 16 9800 type: array 9801 filters: 9802 description: |- 9803 Filters define the filters that are applied to requests that match 9804 this rule. 9805 9806 9807 Wherever possible, implementations SHOULD implement filters in the order 9808 they are specified. 9809 9810 9811 Implementations MAY choose to implement this ordering strictly, rejecting 9812 any combination or order of filters that can not be supported. If implementations 9813 choose a strict interpretation of filter ordering, they MUST clearly document 9814 that behavior. 9815 9816 9817 To reject an invalid combination or order of filters, implementations SHOULD 9818 consider the Route Rules with this configuration invalid. If all Route Rules 9819 in a Route are invalid, the entire Route would be considered invalid. If only 9820 a portion of Route Rules are invalid, implementations MUST set the 9821 "PartiallyInvalid" condition for the Route. 9822 9823 9824 Conformance-levels at this level are defined based on the type of filter: 9825 9826 9827 - ALL core filters MUST be supported by all implementations. 9828 - Implementers are encouraged to support extended filters. 9829 - Implementation-specific custom filters have no API guarantees across 9830 implementations. 9831 9832 9833 Specifying the same filter multiple times is not supported unless explicitly 9834 indicated in the filter. 9835 9836 9837 All filters are expected to be compatible with each other except for the 9838 URLRewrite and RequestRedirect filters, which may not be combined. If an 9839 implementation can not support other combinations of filters, they must clearly 9840 document that limitation. In cases where incompatible or unsupported 9841 filters are specified and cause the `Accepted` condition to be set to status 9842 `False`, implementations may use the `IncompatibleFilters` reason to specify 9843 this configuration error. 9844 9845 9846 Support: Core 9847 items: 9848 description: |- 9849 HTTPRouteFilter defines processing steps that must be completed during the 9850 request or response lifecycle. HTTPRouteFilters are meant as an extension 9851 point to express processing that may be done in Gateway implementations. Some 9852 examples include request or response modification, implementing 9853 authentication strategies, rate-limiting, and traffic shaping. API 9854 guarantee/conformance is defined based on the type of the filter. 9855 properties: 9856 extensionRef: 9857 description: |- 9858 ExtensionRef is an optional, implementation-specific extension to the 9859 "filter" behavior. For example, resource "myroutefilter" in group 9860 "networking.example.net"). ExtensionRef MUST NOT be used for core and 9861 extended filters. 9862 9863 9864 This filter can be used multiple times within the same rule. 9865 9866 9867 Support: Implementation-specific 9868 properties: 9869 group: 9870 description: |- 9871 Group is the group of the referent. For example, "gateway.networking.k8s.io". 9872 When unspecified or empty string, core API group is inferred. 9873 maxLength: 253 9874 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 9875 type: string 9876 kind: 9877 description: Kind is kind of the referent. For example 9878 "HTTPRoute" or "Service". 9879 maxLength: 63 9880 minLength: 1 9881 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 9882 type: string 9883 name: 9884 description: Name is the name of the referent. 9885 maxLength: 253 9886 minLength: 1 9887 type: string 9888 required: 9889 - group 9890 - kind 9891 - name 9892 type: object 9893 requestHeaderModifier: 9894 description: |- 9895 RequestHeaderModifier defines a schema for a filter that modifies request 9896 headers. 9897 9898 9899 Support: Core 9900 properties: 9901 add: 9902 description: |- 9903 Add adds the given header(s) (name, value) to the request 9904 before the action. It appends to any existing values associated 9905 with the header name. 9906 9907 9908 Input: 9909 GET /foo HTTP/1.1 9910 my-header: foo 9911 9912 9913 Config: 9914 add: 9915 - name: "my-header" 9916 value: "bar,baz" 9917 9918 9919 Output: 9920 GET /foo HTTP/1.1 9921 my-header: foo,bar,baz 9922 items: 9923 description: HTTPHeader represents an HTTP Header 9924 name and value as defined by RFC 7230. 9925 properties: 9926 name: 9927 description: |- 9928 Name is the name of the HTTP Header to be matched. Name matching MUST be 9929 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 9930 9931 9932 If multiple entries specify equivalent header names, the first entry with 9933 an equivalent name MUST be considered for a match. Subsequent entries 9934 with an equivalent header name MUST be ignored. Due to the 9935 case-insensitivity of header names, "foo" and "Foo" are considered 9936 equivalent. 9937 maxLength: 256 9938 minLength: 1 9939 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 9940 type: string 9941 value: 9942 description: Value is the value of HTTP Header 9943 to be matched. 9944 maxLength: 4096 9945 minLength: 1 9946 type: string 9947 required: 9948 - name 9949 - value 9950 type: object 9951 maxItems: 16 9952 type: array 9953 x-kubernetes-list-map-keys: 9954 - name 9955 x-kubernetes-list-type: map 9956 remove: 9957 description: |- 9958 Remove the given header(s) from the HTTP request before the action. The 9959 value of Remove is a list of HTTP header names. Note that the header 9960 names are case-insensitive (see 9961 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 9962 9963 9964 Input: 9965 GET /foo HTTP/1.1 9966 my-header1: foo 9967 my-header2: bar 9968 my-header3: baz 9969 9970 9971 Config: 9972 remove: ["my-header1", "my-header3"] 9973 9974 9975 Output: 9976 GET /foo HTTP/1.1 9977 my-header2: bar 9978 items: 9979 type: string 9980 maxItems: 16 9981 type: array 9982 x-kubernetes-list-type: set 9983 set: 9984 description: |- 9985 Set overwrites the request with the given header (name, value) 9986 before the action. 9987 9988 9989 Input: 9990 GET /foo HTTP/1.1 9991 my-header: foo 9992 9993 9994 Config: 9995 set: 9996 - name: "my-header" 9997 value: "bar" 9998 9999 10000 Output: 10001 GET /foo HTTP/1.1 10002 my-header: bar 10003 items: 10004 description: HTTPHeader represents an HTTP Header 10005 name and value as defined by RFC 7230. 10006 properties: 10007 name: 10008 description: |- 10009 Name is the name of the HTTP Header to be matched. Name matching MUST be 10010 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 10011 10012 10013 If multiple entries specify equivalent header names, the first entry with 10014 an equivalent name MUST be considered for a match. Subsequent entries 10015 with an equivalent header name MUST be ignored. Due to the 10016 case-insensitivity of header names, "foo" and "Foo" are considered 10017 equivalent. 10018 maxLength: 256 10019 minLength: 1 10020 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 10021 type: string 10022 value: 10023 description: Value is the value of HTTP Header 10024 to be matched. 10025 maxLength: 4096 10026 minLength: 1 10027 type: string 10028 required: 10029 - name 10030 - value 10031 type: object 10032 maxItems: 16 10033 type: array 10034 x-kubernetes-list-map-keys: 10035 - name 10036 x-kubernetes-list-type: map 10037 type: object 10038 requestMirror: 10039 description: |- 10040 RequestMirror defines a schema for a filter that mirrors requests. 10041 Requests are sent to the specified destination, but responses from 10042 that destination are ignored. 10043 10044 10045 This filter can be used multiple times within the same rule. Note that 10046 not all implementations will be able to support mirroring to multiple 10047 backends. 10048 10049 10050 Support: Extended 10051 properties: 10052 backendRef: 10053 description: |- 10054 BackendRef references a resource where mirrored requests are sent. 10055 10056 10057 Mirrored requests must be sent only to a single destination endpoint 10058 within this BackendRef, irrespective of how many endpoints are present 10059 within this BackendRef. 10060 10061 10062 If the referent cannot be found, this BackendRef is invalid and must be 10063 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 10064 condition on the Route status is set to `status: False` and not configure 10065 this backend in the underlying implementation. 10066 10067 10068 If there is a cross-namespace reference to an *existing* object 10069 that is not allowed by a ReferenceGrant, the controller must ensure the 10070 "ResolvedRefs" condition on the Route is set to `status: False`, 10071 with the "RefNotPermitted" reason and not configure this backend in the 10072 underlying implementation. 10073 10074 10075 In either error case, the Message of the `ResolvedRefs` Condition 10076 should be used to provide more detail about the problem. 10077 10078 10079 Support: Extended for Kubernetes Service 10080 10081 10082 Support: Implementation-specific for any other resource 10083 properties: 10084 group: 10085 default: "" 10086 description: |- 10087 Group is the group of the referent. For example, "gateway.networking.k8s.io". 10088 When unspecified or empty string, core API group is inferred. 10089 maxLength: 253 10090 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 10091 type: string 10092 kind: 10093 default: Service 10094 description: |- 10095 Kind is the Kubernetes resource kind of the referent. For example 10096 "Service". 10097 10098 10099 Defaults to "Service" when not specified. 10100 10101 10102 ExternalName services can refer to CNAME DNS records that may live 10103 outside of the cluster and as such are difficult to reason about in 10104 terms of conformance. They also may not be safe to forward to (see 10105 CVE-2021-25740 for more information). Implementations SHOULD NOT 10106 support ExternalName Services. 10107 10108 10109 Support: Core (Services with a type other than ExternalName) 10110 10111 10112 Support: Implementation-specific (Services with type ExternalName) 10113 maxLength: 63 10114 minLength: 1 10115 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 10116 type: string 10117 name: 10118 description: Name is the name of the referent. 10119 maxLength: 253 10120 minLength: 1 10121 type: string 10122 namespace: 10123 description: |- 10124 Namespace is the namespace of the backend. When unspecified, the local 10125 namespace is inferred. 10126 10127 10128 Note that when a namespace different than the local namespace is specified, 10129 a ReferenceGrant object is required in the referent namespace to allow that 10130 namespace's owner to accept the reference. See the ReferenceGrant 10131 documentation for details. 10132 10133 10134 Support: Core 10135 maxLength: 63 10136 minLength: 1 10137 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 10138 type: string 10139 port: 10140 description: |- 10141 Port specifies the destination port number to use for this resource. 10142 Port is required when the referent is a Kubernetes Service. In this 10143 case, the port number is the service port number, not the target port. 10144 For other resources, destination port might be derived from the referent 10145 resource or this field. 10146 format: int32 10147 maximum: 65535 10148 minimum: 1 10149 type: integer 10150 required: 10151 - name 10152 type: object 10153 x-kubernetes-validations: 10154 - message: Must have port for Service reference 10155 rule: '(size(self.group) == 0 && self.kind == ''Service'') 10156 ? has(self.port) : true' 10157 required: 10158 - backendRef 10159 type: object 10160 requestRedirect: 10161 description: |- 10162 RequestRedirect defines a schema for a filter that responds to the 10163 request with an HTTP redirection. 10164 10165 10166 Support: Core 10167 properties: 10168 hostname: 10169 description: |- 10170 Hostname is the hostname to be used in the value of the `Location` 10171 header in the response. 10172 When empty, the hostname in the `Host` header of the request is used. 10173 10174 10175 Support: Core 10176 maxLength: 253 10177 minLength: 1 10178 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 10179 type: string 10180 path: 10181 description: |- 10182 Path defines parameters used to modify the path of the incoming request. 10183 The modified path is then used to construct the `Location` header. When 10184 empty, the request path is used as-is. 10185 10186 10187 Support: Extended 10188 properties: 10189 replaceFullPath: 10190 description: |- 10191 ReplaceFullPath specifies the value with which to replace the full path 10192 of a request during a rewrite or redirect. 10193 maxLength: 1024 10194 type: string 10195 replacePrefixMatch: 10196 description: |- 10197 ReplacePrefixMatch specifies the value with which to replace the prefix 10198 match of a request during a rewrite or redirect. For example, a request 10199 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 10200 of "/xyz" would be modified to "/xyz/bar". 10201 10202 10203 Note that this matches the behavior of the PathPrefix match type. This 10204 matches full path elements. A path element refers to the list of labels 10205 in the path split by the `/` separator. When specified, a trailing `/` is 10206 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 10207 match the prefix `/abc`, but the path `/abcd` would not. 10208 10209 10210 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 10211 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 10212 the implementation setting the Accepted Condition for the Route to `status: False`. 10213 10214 10215 Request Path | Prefix Match | Replace Prefix | Modified Path 10216 -------------|--------------|----------------|---------- 10217 /foo/bar | /foo | /xyz | /xyz/bar 10218 /foo/bar | /foo | /xyz/ | /xyz/bar 10219 /foo/bar | /foo/ | /xyz | /xyz/bar 10220 /foo/bar | /foo/ | /xyz/ | /xyz/bar 10221 /foo | /foo | /xyz | /xyz 10222 /foo/ | /foo | /xyz | /xyz/ 10223 /foo/bar | /foo | <empty string> | /bar 10224 /foo/ | /foo | <empty string> | / 10225 /foo | /foo | <empty string> | / 10226 /foo/ | /foo | / | / 10227 /foo | /foo | / | / 10228 maxLength: 1024 10229 type: string 10230 type: 10231 description: |- 10232 Type defines the type of path modifier. Additional types may be 10233 added in a future release of the API. 10234 10235 10236 Note that values may be added to this enum, implementations 10237 must ensure that unknown values will not cause a crash. 10238 10239 10240 Unknown values here must result in the implementation setting the 10241 Accepted Condition for the Route to `status: False`, with a 10242 Reason of `UnsupportedValue`. 10243 enum: 10244 - ReplaceFullPath 10245 - ReplacePrefixMatch 10246 type: string 10247 required: 10248 - type 10249 type: object 10250 x-kubernetes-validations: 10251 - message: replaceFullPath must be specified when 10252 type is set to 'ReplaceFullPath' 10253 rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) 10254 : true' 10255 - message: type must be 'ReplaceFullPath' when replaceFullPath 10256 is set 10257 rule: 'has(self.replaceFullPath) ? self.type == 10258 ''ReplaceFullPath'' : true' 10259 - message: replacePrefixMatch must be specified when 10260 type is set to 'ReplacePrefixMatch' 10261 rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) 10262 : true' 10263 - message: type must be 'ReplacePrefixMatch' when 10264 replacePrefixMatch is set 10265 rule: 'has(self.replacePrefixMatch) ? self.type 10266 == ''ReplacePrefixMatch'' : true' 10267 port: 10268 description: |- 10269 Port is the port to be used in the value of the `Location` 10270 header in the response. 10271 10272 10273 If no port is specified, the redirect port MUST be derived using the 10274 following rules: 10275 10276 10277 * If redirect scheme is not-empty, the redirect port MUST be the well-known 10278 port associated with the redirect scheme. Specifically "http" to port 80 10279 and "https" to port 443. If the redirect scheme does not have a 10280 well-known port, the listener port of the Gateway SHOULD be used. 10281 * If redirect scheme is empty, the redirect port MUST be the Gateway 10282 Listener port. 10283 10284 10285 Implementations SHOULD NOT add the port number in the 'Location' 10286 header in the following cases: 10287 10288 10289 * A Location header that will use HTTP (whether that is determined via 10290 the Listener protocol or the Scheme field) _and_ use port 80. 10291 * A Location header that will use HTTPS (whether that is determined via 10292 the Listener protocol or the Scheme field) _and_ use port 443. 10293 10294 10295 Support: Extended 10296 format: int32 10297 maximum: 65535 10298 minimum: 1 10299 type: integer 10300 scheme: 10301 description: |- 10302 Scheme is the scheme to be used in the value of the `Location` header in 10303 the response. When empty, the scheme of the request is used. 10304 10305 10306 Scheme redirects can affect the port of the redirect, for more information, 10307 refer to the documentation for the port field of this filter. 10308 10309 10310 Note that values may be added to this enum, implementations 10311 must ensure that unknown values will not cause a crash. 10312 10313 10314 Unknown values here must result in the implementation setting the 10315 Accepted Condition for the Route to `status: False`, with a 10316 Reason of `UnsupportedValue`. 10317 10318 10319 Support: Extended 10320 enum: 10321 - http 10322 - https 10323 type: string 10324 statusCode: 10325 default: 302 10326 description: |- 10327 StatusCode is the HTTP status code to be used in response. 10328 10329 10330 Note that values may be added to this enum, implementations 10331 must ensure that unknown values will not cause a crash. 10332 10333 10334 Unknown values here must result in the implementation setting the 10335 Accepted Condition for the Route to `status: False`, with a 10336 Reason of `UnsupportedValue`. 10337 10338 10339 Support: Core 10340 enum: 10341 - 301 10342 - 302 10343 type: integer 10344 type: object 10345 responseHeaderModifier: 10346 description: |- 10347 ResponseHeaderModifier defines a schema for a filter that modifies response 10348 headers. 10349 10350 10351 Support: Extended 10352 properties: 10353 add: 10354 description: |- 10355 Add adds the given header(s) (name, value) to the request 10356 before the action. It appends to any existing values associated 10357 with the header name. 10358 10359 10360 Input: 10361 GET /foo HTTP/1.1 10362 my-header: foo 10363 10364 10365 Config: 10366 add: 10367 - name: "my-header" 10368 value: "bar,baz" 10369 10370 10371 Output: 10372 GET /foo HTTP/1.1 10373 my-header: foo,bar,baz 10374 items: 10375 description: HTTPHeader represents an HTTP Header 10376 name and value as defined by RFC 7230. 10377 properties: 10378 name: 10379 description: |- 10380 Name is the name of the HTTP Header to be matched. Name matching MUST be 10381 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 10382 10383 10384 If multiple entries specify equivalent header names, the first entry with 10385 an equivalent name MUST be considered for a match. Subsequent entries 10386 with an equivalent header name MUST be ignored. Due to the 10387 case-insensitivity of header names, "foo" and "Foo" are considered 10388 equivalent. 10389 maxLength: 256 10390 minLength: 1 10391 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 10392 type: string 10393 value: 10394 description: Value is the value of HTTP Header 10395 to be matched. 10396 maxLength: 4096 10397 minLength: 1 10398 type: string 10399 required: 10400 - name 10401 - value 10402 type: object 10403 maxItems: 16 10404 type: array 10405 x-kubernetes-list-map-keys: 10406 - name 10407 x-kubernetes-list-type: map 10408 remove: 10409 description: |- 10410 Remove the given header(s) from the HTTP request before the action. The 10411 value of Remove is a list of HTTP header names. Note that the header 10412 names are case-insensitive (see 10413 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 10414 10415 10416 Input: 10417 GET /foo HTTP/1.1 10418 my-header1: foo 10419 my-header2: bar 10420 my-header3: baz 10421 10422 10423 Config: 10424 remove: ["my-header1", "my-header3"] 10425 10426 10427 Output: 10428 GET /foo HTTP/1.1 10429 my-header2: bar 10430 items: 10431 type: string 10432 maxItems: 16 10433 type: array 10434 x-kubernetes-list-type: set 10435 set: 10436 description: |- 10437 Set overwrites the request with the given header (name, value) 10438 before the action. 10439 10440 10441 Input: 10442 GET /foo HTTP/1.1 10443 my-header: foo 10444 10445 10446 Config: 10447 set: 10448 - name: "my-header" 10449 value: "bar" 10450 10451 10452 Output: 10453 GET /foo HTTP/1.1 10454 my-header: bar 10455 items: 10456 description: HTTPHeader represents an HTTP Header 10457 name and value as defined by RFC 7230. 10458 properties: 10459 name: 10460 description: |- 10461 Name is the name of the HTTP Header to be matched. Name matching MUST be 10462 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 10463 10464 10465 If multiple entries specify equivalent header names, the first entry with 10466 an equivalent name MUST be considered for a match. Subsequent entries 10467 with an equivalent header name MUST be ignored. Due to the 10468 case-insensitivity of header names, "foo" and "Foo" are considered 10469 equivalent. 10470 maxLength: 256 10471 minLength: 1 10472 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 10473 type: string 10474 value: 10475 description: Value is the value of HTTP Header 10476 to be matched. 10477 maxLength: 4096 10478 minLength: 1 10479 type: string 10480 required: 10481 - name 10482 - value 10483 type: object 10484 maxItems: 16 10485 type: array 10486 x-kubernetes-list-map-keys: 10487 - name 10488 x-kubernetes-list-type: map 10489 type: object 10490 type: 10491 description: |- 10492 Type identifies the type of filter to apply. As with other API fields, 10493 types are classified into three conformance levels: 10494 10495 10496 - Core: Filter types and their corresponding configuration defined by 10497 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 10498 implementations must support core filters. 10499 10500 10501 - Extended: Filter types and their corresponding configuration defined by 10502 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 10503 are encouraged to support extended filters. 10504 10505 10506 - Implementation-specific: Filters that are defined and supported by 10507 specific vendors. 10508 In the future, filters showing convergence in behavior across multiple 10509 implementations will be considered for inclusion in extended or core 10510 conformance levels. Filter-specific configuration for such filters 10511 is specified using the ExtensionRef field. `Type` should be set to 10512 "ExtensionRef" for custom filters. 10513 10514 10515 Implementers are encouraged to define custom implementation types to 10516 extend the core API with implementation-specific behavior. 10517 10518 10519 If a reference to a custom filter type cannot be resolved, the filter 10520 MUST NOT be skipped. Instead, requests that would have been processed by 10521 that filter MUST receive a HTTP error response. 10522 10523 10524 Note that values may be added to this enum, implementations 10525 must ensure that unknown values will not cause a crash. 10526 10527 10528 Unknown values here must result in the implementation setting the 10529 Accepted Condition for the Route to `status: False`, with a 10530 Reason of `UnsupportedValue`. 10531 enum: 10532 - RequestHeaderModifier 10533 - ResponseHeaderModifier 10534 - RequestMirror 10535 - RequestRedirect 10536 - URLRewrite 10537 - ExtensionRef 10538 type: string 10539 urlRewrite: 10540 description: |- 10541 URLRewrite defines a schema for a filter that modifies a request during forwarding. 10542 10543 10544 Support: Extended 10545 properties: 10546 hostname: 10547 description: |- 10548 Hostname is the value to be used to replace the Host header value during 10549 forwarding. 10550 10551 10552 Support: Extended 10553 maxLength: 253 10554 minLength: 1 10555 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 10556 type: string 10557 path: 10558 description: |- 10559 Path defines a path rewrite. 10560 10561 10562 Support: Extended 10563 properties: 10564 replaceFullPath: 10565 description: |- 10566 ReplaceFullPath specifies the value with which to replace the full path 10567 of a request during a rewrite or redirect. 10568 maxLength: 1024 10569 type: string 10570 replacePrefixMatch: 10571 description: |- 10572 ReplacePrefixMatch specifies the value with which to replace the prefix 10573 match of a request during a rewrite or redirect. For example, a request 10574 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 10575 of "/xyz" would be modified to "/xyz/bar". 10576 10577 10578 Note that this matches the behavior of the PathPrefix match type. This 10579 matches full path elements. A path element refers to the list of labels 10580 in the path split by the `/` separator. When specified, a trailing `/` is 10581 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 10582 match the prefix `/abc`, but the path `/abcd` would not. 10583 10584 10585 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 10586 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 10587 the implementation setting the Accepted Condition for the Route to `status: False`. 10588 10589 10590 Request Path | Prefix Match | Replace Prefix | Modified Path 10591 -------------|--------------|----------------|---------- 10592 /foo/bar | /foo | /xyz | /xyz/bar 10593 /foo/bar | /foo | /xyz/ | /xyz/bar 10594 /foo/bar | /foo/ | /xyz | /xyz/bar 10595 /foo/bar | /foo/ | /xyz/ | /xyz/bar 10596 /foo | /foo | /xyz | /xyz 10597 /foo/ | /foo | /xyz | /xyz/ 10598 /foo/bar | /foo | <empty string> | /bar 10599 /foo/ | /foo | <empty string> | / 10600 /foo | /foo | <empty string> | / 10601 /foo/ | /foo | / | / 10602 /foo | /foo | / | / 10603 maxLength: 1024 10604 type: string 10605 type: 10606 description: |- 10607 Type defines the type of path modifier. Additional types may be 10608 added in a future release of the API. 10609 10610 10611 Note that values may be added to this enum, implementations 10612 must ensure that unknown values will not cause a crash. 10613 10614 10615 Unknown values here must result in the implementation setting the 10616 Accepted Condition for the Route to `status: False`, with a 10617 Reason of `UnsupportedValue`. 10618 enum: 10619 - ReplaceFullPath 10620 - ReplacePrefixMatch 10621 type: string 10622 required: 10623 - type 10624 type: object 10625 x-kubernetes-validations: 10626 - message: replaceFullPath must be specified when 10627 type is set to 'ReplaceFullPath' 10628 rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) 10629 : true' 10630 - message: type must be 'ReplaceFullPath' when replaceFullPath 10631 is set 10632 rule: 'has(self.replaceFullPath) ? self.type == 10633 ''ReplaceFullPath'' : true' 10634 - message: replacePrefixMatch must be specified when 10635 type is set to 'ReplacePrefixMatch' 10636 rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) 10637 : true' 10638 - message: type must be 'ReplacePrefixMatch' when 10639 replacePrefixMatch is set 10640 rule: 'has(self.replacePrefixMatch) ? self.type 10641 == ''ReplacePrefixMatch'' : true' 10642 type: object 10643 required: 10644 - type 10645 type: object 10646 x-kubernetes-validations: 10647 - message: filter.requestHeaderModifier must be nil if the 10648 filter.type is not RequestHeaderModifier 10649 rule: '!(has(self.requestHeaderModifier) && self.type != 10650 ''RequestHeaderModifier'')' 10651 - message: filter.requestHeaderModifier must be specified 10652 for RequestHeaderModifier filter.type 10653 rule: '!(!has(self.requestHeaderModifier) && self.type == 10654 ''RequestHeaderModifier'')' 10655 - message: filter.responseHeaderModifier must be nil if the 10656 filter.type is not ResponseHeaderModifier 10657 rule: '!(has(self.responseHeaderModifier) && self.type != 10658 ''ResponseHeaderModifier'')' 10659 - message: filter.responseHeaderModifier must be specified 10660 for ResponseHeaderModifier filter.type 10661 rule: '!(!has(self.responseHeaderModifier) && self.type 10662 == ''ResponseHeaderModifier'')' 10663 - message: filter.requestMirror must be nil if the filter.type 10664 is not RequestMirror 10665 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 10666 - message: filter.requestMirror must be specified for RequestMirror 10667 filter.type 10668 rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' 10669 - message: filter.requestRedirect must be nil if the filter.type 10670 is not RequestRedirect 10671 rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' 10672 - message: filter.requestRedirect must be specified for RequestRedirect 10673 filter.type 10674 rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' 10675 - message: filter.urlRewrite must be nil if the filter.type 10676 is not URLRewrite 10677 rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' 10678 - message: filter.urlRewrite must be specified for URLRewrite 10679 filter.type 10680 rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' 10681 - message: filter.extensionRef must be nil if the filter.type 10682 is not ExtensionRef 10683 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 10684 - message: filter.extensionRef must be specified for ExtensionRef 10685 filter.type 10686 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 10687 maxItems: 16 10688 type: array 10689 x-kubernetes-validations: 10690 - message: May specify either httpRouteFilterRequestRedirect 10691 or httpRouteFilterRequestRewrite, but not both 10692 rule: '!(self.exists(f, f.type == ''RequestRedirect'') && 10693 self.exists(f, f.type == ''URLRewrite''))' 10694 - message: RequestHeaderModifier filter cannot be repeated 10695 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 10696 <= 1 10697 - message: ResponseHeaderModifier filter cannot be repeated 10698 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 10699 <= 1 10700 - message: RequestRedirect filter cannot be repeated 10701 rule: self.filter(f, f.type == 'RequestRedirect').size() <= 10702 1 10703 - message: URLRewrite filter cannot be repeated 10704 rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 10705 matches: 10706 default: 10707 - path: 10708 type: PathPrefix 10709 value: / 10710 description: |- 10711 Matches define conditions used for matching the rule against incoming 10712 HTTP requests. Each match is independent, i.e. this rule will be matched 10713 if **any** one of the matches is satisfied. 10714 10715 10716 For example, take the following matches configuration: 10717 10718 10719 ``` 10720 matches: 10721 - path: 10722 value: "/foo" 10723 headers: 10724 - name: "version" 10725 value: "v2" 10726 - path: 10727 value: "/v2/foo" 10728 ``` 10729 10730 10731 For a request to match against this rule, a request must satisfy 10732 EITHER of the two conditions: 10733 10734 10735 - path prefixed with `/foo` AND contains the header `version: v2` 10736 - path prefix of `/v2/foo` 10737 10738 10739 See the documentation for HTTPRouteMatch on how to specify multiple 10740 match conditions that should be ANDed together. 10741 10742 10743 If no matches are specified, the default is a prefix 10744 path match on "/", which has the effect of matching every 10745 HTTP request. 10746 10747 10748 Proxy or Load Balancer routing configuration generated from HTTPRoutes 10749 MUST prioritize matches based on the following criteria, continuing on 10750 ties. Across all rules specified on applicable Routes, precedence must be 10751 given to the match having: 10752 10753 10754 * "Exact" path match. 10755 * "Prefix" path match with largest number of characters. 10756 * Method match. 10757 * Largest number of header matches. 10758 * Largest number of query param matches. 10759 10760 10761 Note: The precedence of RegularExpression path matches are implementation-specific. 10762 10763 10764 If ties still exist across multiple Routes, matching precedence MUST be 10765 determined in order of the following criteria, continuing on ties: 10766 10767 10768 * The oldest Route based on creation timestamp. 10769 * The Route appearing first in alphabetical order by 10770 "{namespace}/{name}". 10771 10772 10773 If ties still exist within an HTTPRoute, matching precedence MUST be granted 10774 to the FIRST matching rule (in list order) with a match meeting the above 10775 criteria. 10776 10777 10778 When no rules matching a request have been successfully attached to the 10779 parent a request is coming from, a HTTP 404 status code MUST be returned. 10780 items: 10781 description: "HTTPRouteMatch defines the predicate used to 10782 match requests to a given\naction. Multiple match types 10783 are ANDed together, i.e. the match will\nevaluate to true 10784 only if all conditions are satisfied.\n\n\nFor example, 10785 the match below will match a HTTP request only if its path\nstarts 10786 with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t 10787 \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t 10788 \ value \"v1\"\n\n\n```" 10789 properties: 10790 headers: 10791 description: |- 10792 Headers specifies HTTP request header matchers. Multiple match values are 10793 ANDed together, meaning, a request must match all the specified headers 10794 to select the route. 10795 items: 10796 description: |- 10797 HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request 10798 headers. 10799 properties: 10800 name: 10801 description: |- 10802 Name is the name of the HTTP Header to be matched. Name matching MUST be 10803 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 10804 10805 10806 If multiple entries specify equivalent header names, only the first 10807 entry with an equivalent name MUST be considered for a match. Subsequent 10808 entries with an equivalent header name MUST be ignored. Due to the 10809 case-insensitivity of header names, "foo" and "Foo" are considered 10810 equivalent. 10811 10812 10813 When a header is repeated in an HTTP request, it is 10814 implementation-specific behavior as to how this is represented. 10815 Generally, proxies should follow the guidance from the RFC: 10816 https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding 10817 processing a repeated header, with special handling for "Set-Cookie". 10818 maxLength: 256 10819 minLength: 1 10820 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 10821 type: string 10822 type: 10823 default: Exact 10824 description: |- 10825 Type specifies how to match against the value of the header. 10826 10827 10828 Support: Core (Exact) 10829 10830 10831 Support: Implementation-specific (RegularExpression) 10832 10833 10834 Since RegularExpression HeaderMatchType has implementation-specific 10835 conformance, implementations can support POSIX, PCRE or any other dialects 10836 of regular expressions. Please read the implementation's documentation to 10837 determine the supported dialect. 10838 enum: 10839 - Exact 10840 - RegularExpression 10841 type: string 10842 value: 10843 description: Value is the value of HTTP Header to 10844 be matched. 10845 maxLength: 4096 10846 minLength: 1 10847 type: string 10848 required: 10849 - name 10850 - value 10851 type: object 10852 maxItems: 16 10853 type: array 10854 x-kubernetes-list-map-keys: 10855 - name 10856 x-kubernetes-list-type: map 10857 method: 10858 description: |- 10859 Method specifies HTTP method matcher. 10860 When specified, this route will be matched only if the request has the 10861 specified method. 10862 10863 10864 Support: Extended 10865 enum: 10866 - GET 10867 - HEAD 10868 - POST 10869 - PUT 10870 - DELETE 10871 - CONNECT 10872 - OPTIONS 10873 - TRACE 10874 - PATCH 10875 type: string 10876 path: 10877 default: 10878 type: PathPrefix 10879 value: / 10880 description: |- 10881 Path specifies a HTTP request path matcher. If this field is not 10882 specified, a default prefix match on the "/" path is provided. 10883 properties: 10884 type: 10885 default: PathPrefix 10886 description: |- 10887 Type specifies how to match against the path Value. 10888 10889 10890 Support: Core (Exact, PathPrefix) 10891 10892 10893 Support: Implementation-specific (RegularExpression) 10894 enum: 10895 - Exact 10896 - PathPrefix 10897 - RegularExpression 10898 type: string 10899 value: 10900 default: / 10901 description: Value of the HTTP path to match against. 10902 maxLength: 1024 10903 type: string 10904 type: object 10905 x-kubernetes-validations: 10906 - message: value must be an absolute path and start with 10907 '/' when type one of ['Exact', 'PathPrefix'] 10908 rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') 10909 : true' 10910 - message: must not contain '//' when type one of ['Exact', 10911 'PathPrefix'] 10912 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') 10913 : true' 10914 - message: must not contain '/./' when type one of ['Exact', 10915 'PathPrefix'] 10916 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') 10917 : true' 10918 - message: must not contain '/../' when type one of ['Exact', 10919 'PathPrefix'] 10920 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') 10921 : true' 10922 - message: must not contain '%2f' when type one of ['Exact', 10923 'PathPrefix'] 10924 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') 10925 : true' 10926 - message: must not contain '%2F' when type one of ['Exact', 10927 'PathPrefix'] 10928 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') 10929 : true' 10930 - message: must not contain '#' when type one of ['Exact', 10931 'PathPrefix'] 10932 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') 10933 : true' 10934 - message: must not end with '/..' when type one of ['Exact', 10935 'PathPrefix'] 10936 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') 10937 : true' 10938 - message: must not end with '/.' when type one of ['Exact', 10939 'PathPrefix'] 10940 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') 10941 : true' 10942 - message: type must be one of ['Exact', 'PathPrefix', 10943 'RegularExpression'] 10944 rule: self.type in ['Exact','PathPrefix'] || self.type 10945 == 'RegularExpression' 10946 - message: must only contain valid characters (matching 10947 ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) 10948 for types ['Exact', 'PathPrefix'] 10949 rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") 10950 : true' 10951 queryParams: 10952 description: |- 10953 QueryParams specifies HTTP query parameter matchers. Multiple match 10954 values are ANDed together, meaning, a request must match all the 10955 specified query parameters to select the route. 10956 10957 10958 Support: Extended 10959 items: 10960 description: |- 10961 HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP 10962 query parameters. 10963 properties: 10964 name: 10965 description: |- 10966 Name is the name of the HTTP query param to be matched. This must be an 10967 exact string match. (See 10968 https://tools.ietf.org/html/rfc7230#section-2.7.3). 10969 10970 10971 If multiple entries specify equivalent query param names, only the first 10972 entry with an equivalent name MUST be considered for a match. Subsequent 10973 entries with an equivalent query param name MUST be ignored. 10974 10975 10976 If a query param is repeated in an HTTP request, the behavior is 10977 purposely left undefined, since different data planes have different 10978 capabilities. However, it is *recommended* that implementations should 10979 match against the first value of the param if the data plane supports it, 10980 as this behavior is expected in other load balancing contexts outside of 10981 the Gateway API. 10982 10983 10984 Users SHOULD NOT route traffic based on repeated query params to guard 10985 themselves against potential differences in the implementations. 10986 maxLength: 256 10987 minLength: 1 10988 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 10989 type: string 10990 type: 10991 default: Exact 10992 description: |- 10993 Type specifies how to match against the value of the query parameter. 10994 10995 10996 Support: Extended (Exact) 10997 10998 10999 Support: Implementation-specific (RegularExpression) 11000 11001 11002 Since RegularExpression QueryParamMatchType has Implementation-specific 11003 conformance, implementations can support POSIX, PCRE or any other 11004 dialects of regular expressions. Please read the implementation's 11005 documentation to determine the supported dialect. 11006 enum: 11007 - Exact 11008 - RegularExpression 11009 type: string 11010 value: 11011 description: Value is the value of HTTP query param 11012 to be matched. 11013 maxLength: 1024 11014 minLength: 1 11015 type: string 11016 required: 11017 - name 11018 - value 11019 type: object 11020 maxItems: 16 11021 type: array 11022 x-kubernetes-list-map-keys: 11023 - name 11024 x-kubernetes-list-type: map 11025 type: object 11026 maxItems: 8 11027 type: array 11028 sessionPersistence: 11029 description: |+ 11030 SessionPersistence defines and configures session persistence 11031 for the route rule. 11032 11033 11034 Support: Extended 11035 11036 11037 properties: 11038 absoluteTimeout: 11039 description: |- 11040 AbsoluteTimeout defines the absolute timeout of the persistent 11041 session. Once the AbsoluteTimeout duration has elapsed, the 11042 session becomes invalid. 11043 11044 11045 Support: Extended 11046 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 11047 type: string 11048 cookieConfig: 11049 description: |- 11050 CookieConfig provides configuration settings that are specific 11051 to cookie-based session persistence. 11052 11053 11054 Support: Core 11055 properties: 11056 lifetimeType: 11057 default: Session 11058 description: |- 11059 LifetimeType specifies whether the cookie has a permanent or 11060 session-based lifetime. A permanent cookie persists until its 11061 specified expiry time, defined by the Expires or Max-Age cookie 11062 attributes, while a session cookie is deleted when the current 11063 session ends. 11064 11065 11066 When set to "Permanent", AbsoluteTimeout indicates the 11067 cookie's lifetime via the Expires or Max-Age cookie attributes 11068 and is required. 11069 11070 11071 When set to "Session", AbsoluteTimeout indicates the 11072 absolute lifetime of the cookie tracked by the gateway and 11073 is optional. 11074 11075 11076 Support: Core for "Session" type 11077 11078 11079 Support: Extended for "Permanent" type 11080 enum: 11081 - Permanent 11082 - Session 11083 type: string 11084 type: object 11085 idleTimeout: 11086 description: |- 11087 IdleTimeout defines the idle timeout of the persistent session. 11088 Once the session has been idle for more than the specified 11089 IdleTimeout duration, the session becomes invalid. 11090 11091 11092 Support: Extended 11093 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 11094 type: string 11095 sessionName: 11096 description: |- 11097 SessionName defines the name of the persistent session token 11098 which may be reflected in the cookie or the header. Users 11099 should avoid reusing session names to prevent unintended 11100 consequences, such as rejection or unpredictable behavior. 11101 11102 11103 Support: Implementation-specific 11104 maxLength: 128 11105 type: string 11106 type: 11107 default: Cookie 11108 description: |- 11109 Type defines the type of session persistence such as through 11110 the use a header or cookie. Defaults to cookie based session 11111 persistence. 11112 11113 11114 Support: Core for "Cookie" type 11115 11116 11117 Support: Extended for "Header" type 11118 enum: 11119 - Cookie 11120 - Header 11121 type: string 11122 type: object 11123 x-kubernetes-validations: 11124 - message: AbsoluteTimeout must be specified when cookie lifetimeType 11125 is Permanent 11126 rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType 11127 != ''Permanent'' || has(self.absoluteTimeout)' 11128 timeouts: 11129 description: |+ 11130 Timeouts defines the timeouts that can be configured for an HTTP request. 11131 11132 11133 Support: Extended 11134 11135 11136 properties: 11137 backendRequest: 11138 description: |- 11139 BackendRequest specifies a timeout for an individual request from the gateway 11140 to a backend. This covers the time from when the request first starts being 11141 sent from the gateway to when the full response has been received from the backend. 11142 11143 11144 Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout 11145 completely. Implementations that cannot completely disable the timeout MUST 11146 instead interpret the zero duration as the longest possible value to which 11147 the timeout can be set. 11148 11149 11150 An entire client HTTP transaction with a gateway, covered by the Request timeout, 11151 may result in more than one call from the gateway to the destination backend, 11152 for example, if automatic retries are supported. 11153 11154 11155 Because the Request timeout encompasses the BackendRequest timeout, the value of 11156 BackendRequest must be <= the value of Request timeout. 11157 11158 11159 Support: Extended 11160 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 11161 type: string 11162 request: 11163 description: |- 11164 Request specifies the maximum duration for a gateway to respond to an HTTP request. 11165 If the gateway has not been able to respond before this deadline is met, the gateway 11166 MUST return a timeout error. 11167 11168 11169 For example, setting the `rules.timeouts.request` field to the value `10s` in an 11170 `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds 11171 to complete. 11172 11173 11174 Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout 11175 completely. Implementations that cannot completely disable the timeout MUST 11176 instead interpret the zero duration as the longest possible value to which 11177 the timeout can be set. 11178 11179 11180 This timeout is intended to cover as close to the whole request-response transaction 11181 as possible although an implementation MAY choose to start the timeout after the entire 11182 request stream has been received instead of immediately after the transaction is 11183 initiated by the client. 11184 11185 11186 When this field is unspecified, request timeout behavior is implementation-specific. 11187 11188 11189 Support: Extended 11190 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 11191 type: string 11192 type: object 11193 x-kubernetes-validations: 11194 - message: backendRequest timeout cannot be longer than request 11195 timeout 11196 rule: '!(has(self.request) && has(self.backendRequest) && 11197 duration(self.request) != duration(''0s'') && duration(self.backendRequest) 11198 > duration(self.request))' 11199 type: object 11200 x-kubernetes-validations: 11201 - message: RequestRedirect filter must not be used together with 11202 backendRefs 11203 rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? 11204 (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): 11205 true' 11206 - message: When using RequestRedirect filter with path.replacePrefixMatch, 11207 exactly one PathPrefix match must be specified 11208 rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) 11209 && has(f.requestRedirect.path) && f.requestRedirect.path.type 11210 == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) 11211 ? ((size(self.matches) != 1 || !has(self.matches[0].path) || 11212 self.matches[0].path.type != ''PathPrefix'') ? false : true) 11213 : true' 11214 - message: When using URLRewrite filter with path.replacePrefixMatch, 11215 exactly one PathPrefix match must be specified 11216 rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) 11217 && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' 11218 && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) 11219 != 1 || !has(self.matches[0].path) || self.matches[0].path.type 11220 != ''PathPrefix'') ? false : true) : true' 11221 - message: Within backendRefs, when using RequestRedirect filter 11222 with path.replacePrefixMatch, exactly one PathPrefix match must 11223 be specified 11224 rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, 11225 (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) 11226 && has(f.requestRedirect.path) && f.requestRedirect.path.type 11227 == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) 11228 )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) 11229 || self.matches[0].path.type != ''PathPrefix'') ? false : true) 11230 : true' 11231 - message: Within backendRefs, When using URLRewrite filter with 11232 path.replacePrefixMatch, exactly one PathPrefix match must be 11233 specified 11234 rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, 11235 (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) 11236 && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' 11237 && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) 11238 != 1 || !has(self.matches[0].path) || self.matches[0].path.type 11239 != ''PathPrefix'') ? false : true) : true' 11240 maxItems: 16 11241 type: array 11242 type: object 11243 status: 11244 description: Status defines the current state of HTTPRoute. 11245 properties: 11246 parents: 11247 description: |- 11248 Parents is a list of parent resources (usually Gateways) that are 11249 associated with the route, and the status of the route with respect to 11250 each parent. When this route attaches to a parent, the controller that 11251 manages the parent must add an entry to this list when the controller 11252 first sees the route and should update the entry as appropriate when the 11253 route or gateway is modified. 11254 11255 11256 Note that parent references that cannot be resolved by an implementation 11257 of this API will not be added to this list. Implementations of this API 11258 can only populate Route status for the Gateways/parent resources they are 11259 responsible for. 11260 11261 11262 A maximum of 32 Gateways will be represented in this list. An empty list 11263 means the route has not been attached to any Gateway. 11264 items: 11265 description: |- 11266 RouteParentStatus describes the status of a route with respect to an 11267 associated Parent. 11268 properties: 11269 conditions: 11270 description: |- 11271 Conditions describes the status of the route with respect to the Gateway. 11272 Note that the route's availability is also subject to the Gateway's own 11273 status conditions and listener status. 11274 11275 11276 If the Route's ParentRef specifies an existing Gateway that supports 11277 Routes of this kind AND that Gateway's controller has sufficient access, 11278 then that Gateway's controller MUST set the "Accepted" condition on the 11279 Route, to indicate whether the route has been accepted or rejected by the 11280 Gateway, and why. 11281 11282 11283 A Route MUST be considered "Accepted" if at least one of the Route's 11284 rules is implemented by the Gateway. 11285 11286 11287 There are a number of cases where the "Accepted" condition may not be set 11288 due to lack of controller visibility, that includes when: 11289 11290 11291 * The Route refers to a non-existent parent. 11292 * The Route is of a type that the controller does not support. 11293 * The Route is in a namespace the controller does not have access to. 11294 items: 11295 description: "Condition contains details for one aspect of 11296 the current state of this API Resource.\n---\nThis struct 11297 is intended for direct use as an array at the field path 11298 .status.conditions. For example,\n\n\n\ttype FooStatus 11299 struct{\n\t // Represents the observations of a foo's 11300 current state.\n\t // Known .status.conditions.type are: 11301 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 11302 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 11303 +listType=map\n\t // +listMapKey=type\n\t Conditions 11304 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 11305 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 11306 \ // other fields\n\t}" 11307 properties: 11308 lastTransitionTime: 11309 description: |- 11310 lastTransitionTime is the last time the condition transitioned from one status to another. 11311 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 11312 format: date-time 11313 type: string 11314 message: 11315 description: |- 11316 message is a human readable message indicating details about the transition. 11317 This may be an empty string. 11318 maxLength: 32768 11319 type: string 11320 observedGeneration: 11321 description: |- 11322 observedGeneration represents the .metadata.generation that the condition was set based upon. 11323 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 11324 with respect to the current state of the instance. 11325 format: int64 11326 minimum: 0 11327 type: integer 11328 reason: 11329 description: |- 11330 reason contains a programmatic identifier indicating the reason for the condition's last transition. 11331 Producers of specific condition types may define expected values and meanings for this field, 11332 and whether the values are considered a guaranteed API. 11333 The value should be a CamelCase string. 11334 This field may not be empty. 11335 maxLength: 1024 11336 minLength: 1 11337 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 11338 type: string 11339 status: 11340 description: status of the condition, one of True, False, 11341 Unknown. 11342 enum: 11343 - "True" 11344 - "False" 11345 - Unknown 11346 type: string 11347 type: 11348 description: |- 11349 type of condition in CamelCase or in foo.example.com/CamelCase. 11350 --- 11351 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 11352 useful (see .node.status.conditions), the ability to deconflict is important. 11353 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 11354 maxLength: 316 11355 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 11356 type: string 11357 required: 11358 - lastTransitionTime 11359 - message 11360 - reason 11361 - status 11362 - type 11363 type: object 11364 maxItems: 8 11365 minItems: 1 11366 type: array 11367 x-kubernetes-list-map-keys: 11368 - type 11369 x-kubernetes-list-type: map 11370 controllerName: 11371 description: |- 11372 ControllerName is a domain/path string that indicates the name of the 11373 controller that wrote this status. This corresponds with the 11374 controllerName field on GatewayClass. 11375 11376 11377 Example: "example.net/gateway-controller". 11378 11379 11380 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 11381 valid Kubernetes names 11382 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 11383 11384 11385 Controllers MUST populate this field when writing status. Controllers should ensure that 11386 entries to status populated with their ControllerName are cleaned up when they are no 11387 longer necessary. 11388 maxLength: 253 11389 minLength: 1 11390 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 11391 type: string 11392 parentRef: 11393 description: |- 11394 ParentRef corresponds with a ParentRef in the spec that this 11395 RouteParentStatus struct describes the status of. 11396 properties: 11397 group: 11398 default: gateway.networking.k8s.io 11399 description: |- 11400 Group is the group of the referent. 11401 When unspecified, "gateway.networking.k8s.io" is inferred. 11402 To set the core API group (such as for a "Service" kind referent), 11403 Group must be explicitly set to "" (empty string). 11404 11405 11406 Support: Core 11407 maxLength: 253 11408 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 11409 type: string 11410 kind: 11411 default: Gateway 11412 description: |- 11413 Kind is kind of the referent. 11414 11415 11416 There are two kinds of parent resources with "Core" support: 11417 11418 11419 * Gateway (Gateway conformance profile) 11420 * Service (Mesh conformance profile, ClusterIP Services only) 11421 11422 11423 Support for other resources is Implementation-Specific. 11424 maxLength: 63 11425 minLength: 1 11426 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 11427 type: string 11428 name: 11429 description: |- 11430 Name is the name of the referent. 11431 11432 11433 Support: Core 11434 maxLength: 253 11435 minLength: 1 11436 type: string 11437 namespace: 11438 description: |- 11439 Namespace is the namespace of the referent. When unspecified, this refers 11440 to the local namespace of the Route. 11441 11442 11443 Note that there are specific rules for ParentRefs which cross namespace 11444 boundaries. Cross-namespace references are only valid if they are explicitly 11445 allowed by something in the namespace they are referring to. For example: 11446 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 11447 generic way to enable any other kind of cross-namespace reference. 11448 11449 11450 11451 ParentRefs from a Route to a Service in the same namespace are "producer" 11452 routes, which apply default routing rules to inbound connections from 11453 any namespace to the Service. 11454 11455 11456 ParentRefs from a Route to a Service in a different namespace are 11457 "consumer" routes, and these routing rules are only applied to outbound 11458 connections originating from the same namespace as the Route, for which 11459 the intended destination of the connections are a Service targeted as a 11460 ParentRef of the Route. 11461 11462 11463 11464 Support: Core 11465 maxLength: 63 11466 minLength: 1 11467 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 11468 type: string 11469 port: 11470 description: |- 11471 Port is the network port this Route targets. It can be interpreted 11472 differently based on the type of parent resource. 11473 11474 11475 When the parent resource is a Gateway, this targets all listeners 11476 listening on the specified port that also support this kind of Route(and 11477 select this Route). It's not recommended to set `Port` unless the 11478 networking behaviors specified in a Route must apply to a specific port 11479 as opposed to a listener(s) whose port(s) may be changed. When both Port 11480 and SectionName are specified, the name and port of the selected listener 11481 must match both specified values. 11482 11483 11484 11485 When the parent resource is a Service, this targets a specific port in the 11486 Service spec. When both Port (experimental) and SectionName are specified, 11487 the name and port of the selected port must match both specified values. 11488 11489 11490 11491 Implementations MAY choose to support other parent resources. 11492 Implementations supporting other types of parent resources MUST clearly 11493 document how/if Port is interpreted. 11494 11495 11496 For the purpose of status, an attachment is considered successful as 11497 long as the parent resource accepts it partially. For example, Gateway 11498 listeners can restrict which Routes can attach to them by Route kind, 11499 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 11500 from the referencing Route, the Route MUST be considered successfully 11501 attached. If no Gateway listeners accept attachment from this Route, 11502 the Route MUST be considered detached from the Gateway. 11503 11504 11505 Support: Extended 11506 format: int32 11507 maximum: 65535 11508 minimum: 1 11509 type: integer 11510 sectionName: 11511 description: |- 11512 SectionName is the name of a section within the target resource. In the 11513 following resources, SectionName is interpreted as the following: 11514 11515 11516 * Gateway: Listener name. When both Port (experimental) and SectionName 11517 are specified, the name and port of the selected listener must match 11518 both specified values. 11519 * Service: Port name. When both Port (experimental) and SectionName 11520 are specified, the name and port of the selected listener must match 11521 both specified values. 11522 11523 11524 Implementations MAY choose to support attaching Routes to other resources. 11525 If that is the case, they MUST clearly document how SectionName is 11526 interpreted. 11527 11528 11529 When unspecified (empty string), this will reference the entire resource. 11530 For the purpose of status, an attachment is considered successful if at 11531 least one section in the parent resource accepts it. For example, Gateway 11532 listeners can restrict which Routes can attach to them by Route kind, 11533 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 11534 the referencing Route, the Route MUST be considered successfully 11535 attached. If no Gateway listeners accept attachment from this Route, the 11536 Route MUST be considered detached from the Gateway. 11537 11538 11539 Support: Core 11540 maxLength: 253 11541 minLength: 1 11542 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 11543 type: string 11544 required: 11545 - name 11546 type: object 11547 required: 11548 - controllerName 11549 - parentRef 11550 type: object 11551 maxItems: 32 11552 type: array 11553 required: 11554 - parents 11555 type: object 11556 required: 11557 - spec 11558 type: object 11559 served: true 11560 storage: true 11561 subresources: 11562 status: {} 11563 - additionalPrinterColumns: 11564 - jsonPath: .spec.hostnames 11565 name: Hostnames 11566 type: string 11567 - jsonPath: .metadata.creationTimestamp 11568 name: Age 11569 type: date 11570 name: v1beta1 11571 schema: 11572 openAPIV3Schema: 11573 description: |- 11574 HTTPRoute provides a way to route HTTP requests. This includes the capability 11575 to match requests by hostname, path, header, or query param. Filters can be 11576 used to specify additional processing steps. Backends specify where matching 11577 requests should be routed. 11578 properties: 11579 apiVersion: 11580 description: |- 11581 APIVersion defines the versioned schema of this representation of an object. 11582 Servers should convert recognized schemas to the latest internal value, and 11583 may reject unrecognized values. 11584 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 11585 type: string 11586 kind: 11587 description: |- 11588 Kind is a string value representing the REST resource this object represents. 11589 Servers may infer this from the endpoint the client submits requests to. 11590 Cannot be updated. 11591 In CamelCase. 11592 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 11593 type: string 11594 metadata: 11595 type: object 11596 spec: 11597 description: Spec defines the desired state of HTTPRoute. 11598 properties: 11599 hostnames: 11600 description: |- 11601 Hostnames defines a set of hostnames that should match against the HTTP Host 11602 header to select a HTTPRoute used to process the request. Implementations 11603 MUST ignore any port value specified in the HTTP Host header while 11604 performing a match and (absent of any applicable header modification 11605 configuration) MUST forward this header unmodified to the backend. 11606 11607 11608 Valid values for Hostnames are determined by RFC 1123 definition of a 11609 hostname with 2 notable exceptions: 11610 11611 11612 1. IPs are not allowed. 11613 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 11614 label must appear by itself as the first label. 11615 11616 11617 If a hostname is specified by both the Listener and HTTPRoute, there 11618 must be at least one intersecting hostname for the HTTPRoute to be 11619 attached to the Listener. For example: 11620 11621 11622 * A Listener with `test.example.com` as the hostname matches HTTPRoutes 11623 that have either not specified any hostnames, or have specified at 11624 least one of `test.example.com` or `*.example.com`. 11625 * A Listener with `*.example.com` as the hostname matches HTTPRoutes 11626 that have either not specified any hostnames or have specified at least 11627 one hostname that matches the Listener hostname. For example, 11628 `*.example.com`, `test.example.com`, and `foo.test.example.com` would 11629 all match. On the other hand, `example.com` and `test.example.net` would 11630 not match. 11631 11632 11633 Hostnames that are prefixed with a wildcard label (`*.`) are interpreted 11634 as a suffix match. That means that a match for `*.example.com` would match 11635 both `test.example.com`, and `foo.test.example.com`, but not `example.com`. 11636 11637 11638 If both the Listener and HTTPRoute have specified hostnames, any 11639 HTTPRoute hostnames that do not match the Listener hostname MUST be 11640 ignored. For example, if a Listener specified `*.example.com`, and the 11641 HTTPRoute specified `test.example.com` and `test.example.net`, 11642 `test.example.net` must not be considered for a match. 11643 11644 11645 If both the Listener and HTTPRoute have specified hostnames, and none 11646 match with the criteria above, then the HTTPRoute is not accepted. The 11647 implementation must raise an 'Accepted' Condition with a status of 11648 `False` in the corresponding RouteParentStatus. 11649 11650 11651 In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. 11652 overlapping wildcard matching and exact matching hostnames), precedence must 11653 be given to rules from the HTTPRoute with the largest number of: 11654 11655 11656 * Characters in a matching non-wildcard hostname. 11657 * Characters in a matching hostname. 11658 11659 11660 If ties exist across multiple Routes, the matching precedence rules for 11661 HTTPRouteMatches takes over. 11662 11663 11664 Support: Core 11665 items: 11666 description: |- 11667 Hostname is the fully qualified domain name of a network host. This matches 11668 the RFC 1123 definition of a hostname with 2 notable exceptions: 11669 11670 11671 1. IPs are not allowed. 11672 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 11673 label must appear by itself as the first label. 11674 11675 11676 Hostname can be "precise" which is a domain name without the terminating 11677 dot of a network host (e.g. "foo.example.com") or "wildcard", which is a 11678 domain name prefixed with a single wildcard label (e.g. `*.example.com`). 11679 11680 11681 Note that as per RFC1035 and RFC1123, a *label* must consist of lower case 11682 alphanumeric characters or '-', and must start and end with an alphanumeric 11683 character. No other punctuation is allowed. 11684 maxLength: 253 11685 minLength: 1 11686 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 11687 type: string 11688 maxItems: 16 11689 type: array 11690 parentRefs: 11691 description: |+ 11692 ParentRefs references the resources (usually Gateways) that a Route wants 11693 to be attached to. Note that the referenced parent resource needs to 11694 allow this for the attachment to be complete. For Gateways, that means 11695 the Gateway needs to allow attachment from Routes of this kind and 11696 namespace. For Services, that means the Service must either be in the same 11697 namespace for a "producer" route, or the mesh implementation must support 11698 and allow "consumer" routes for the referenced Service. ReferenceGrant is 11699 not applicable for governing ParentRefs to Services - it is not possible to 11700 create a "producer" route for a Service in a different namespace from the 11701 Route. 11702 11703 11704 There are two kinds of parent resources with "Core" support: 11705 11706 11707 * Gateway (Gateway conformance profile) 11708 * Service (Mesh conformance profile, ClusterIP Services only) 11709 11710 11711 This API may be extended in the future to support additional kinds of parent 11712 resources. 11713 11714 11715 ParentRefs must be _distinct_. This means either that: 11716 11717 11718 * They select different objects. If this is the case, then parentRef 11719 entries are distinct. In terms of fields, this means that the 11720 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 11721 be unique across all parentRef entries in the Route. 11722 * They do not select different objects, but for each optional field used, 11723 each ParentRef that selects the same object must set the same set of 11724 optional fields to different values. If one ParentRef sets a 11725 combination of optional fields, all must set the same combination. 11726 11727 11728 Some examples: 11729 11730 11731 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 11732 same object must also set `sectionName`. 11733 * If one ParentRef sets `port`, all ParentRefs referencing the same 11734 object must also set `port`. 11735 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 11736 referencing the same object must also set `sectionName` and `port`. 11737 11738 11739 It is possible to separately reference multiple distinct objects that may 11740 be collapsed by an implementation. For example, some implementations may 11741 choose to merge compatible Gateway Listeners together. If that is the 11742 case, the list of routes attached to those resources should also be 11743 merged. 11744 11745 11746 Note that for ParentRefs that cross namespace boundaries, there are specific 11747 rules. Cross-namespace references are only valid if they are explicitly 11748 allowed by something in the namespace they are referring to. For example, 11749 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 11750 generic way to enable other kinds of cross-namespace reference. 11751 11752 11753 11754 ParentRefs from a Route to a Service in the same namespace are "producer" 11755 routes, which apply default routing rules to inbound connections from 11756 any namespace to the Service. 11757 11758 11759 ParentRefs from a Route to a Service in a different namespace are 11760 "consumer" routes, and these routing rules are only applied to outbound 11761 connections originating from the same namespace as the Route, for which 11762 the intended destination of the connections are a Service targeted as a 11763 ParentRef of the Route. 11764 11765 11766 11767 11768 11769 11770 items: 11771 description: |- 11772 ParentReference identifies an API object (usually a Gateway) that can be considered 11773 a parent of this resource (usually a route). There are two kinds of parent resources 11774 with "Core" support: 11775 11776 11777 * Gateway (Gateway conformance profile) 11778 * Service (Mesh conformance profile, ClusterIP Services only) 11779 11780 11781 This API may be extended in the future to support additional kinds of parent 11782 resources. 11783 11784 11785 The API object must be valid in the cluster; the Group and Kind must 11786 be registered in the cluster for this reference to be valid. 11787 properties: 11788 group: 11789 default: gateway.networking.k8s.io 11790 description: |- 11791 Group is the group of the referent. 11792 When unspecified, "gateway.networking.k8s.io" is inferred. 11793 To set the core API group (such as for a "Service" kind referent), 11794 Group must be explicitly set to "" (empty string). 11795 11796 11797 Support: Core 11798 maxLength: 253 11799 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 11800 type: string 11801 kind: 11802 default: Gateway 11803 description: |- 11804 Kind is kind of the referent. 11805 11806 11807 There are two kinds of parent resources with "Core" support: 11808 11809 11810 * Gateway (Gateway conformance profile) 11811 * Service (Mesh conformance profile, ClusterIP Services only) 11812 11813 11814 Support for other resources is Implementation-Specific. 11815 maxLength: 63 11816 minLength: 1 11817 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 11818 type: string 11819 name: 11820 description: |- 11821 Name is the name of the referent. 11822 11823 11824 Support: Core 11825 maxLength: 253 11826 minLength: 1 11827 type: string 11828 namespace: 11829 description: |- 11830 Namespace is the namespace of the referent. When unspecified, this refers 11831 to the local namespace of the Route. 11832 11833 11834 Note that there are specific rules for ParentRefs which cross namespace 11835 boundaries. Cross-namespace references are only valid if they are explicitly 11836 allowed by something in the namespace they are referring to. For example: 11837 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 11838 generic way to enable any other kind of cross-namespace reference. 11839 11840 11841 11842 ParentRefs from a Route to a Service in the same namespace are "producer" 11843 routes, which apply default routing rules to inbound connections from 11844 any namespace to the Service. 11845 11846 11847 ParentRefs from a Route to a Service in a different namespace are 11848 "consumer" routes, and these routing rules are only applied to outbound 11849 connections originating from the same namespace as the Route, for which 11850 the intended destination of the connections are a Service targeted as a 11851 ParentRef of the Route. 11852 11853 11854 11855 Support: Core 11856 maxLength: 63 11857 minLength: 1 11858 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 11859 type: string 11860 port: 11861 description: |- 11862 Port is the network port this Route targets. It can be interpreted 11863 differently based on the type of parent resource. 11864 11865 11866 When the parent resource is a Gateway, this targets all listeners 11867 listening on the specified port that also support this kind of Route(and 11868 select this Route). It's not recommended to set `Port` unless the 11869 networking behaviors specified in a Route must apply to a specific port 11870 as opposed to a listener(s) whose port(s) may be changed. When both Port 11871 and SectionName are specified, the name and port of the selected listener 11872 must match both specified values. 11873 11874 11875 11876 When the parent resource is a Service, this targets a specific port in the 11877 Service spec. When both Port (experimental) and SectionName are specified, 11878 the name and port of the selected port must match both specified values. 11879 11880 11881 11882 Implementations MAY choose to support other parent resources. 11883 Implementations supporting other types of parent resources MUST clearly 11884 document how/if Port is interpreted. 11885 11886 11887 For the purpose of status, an attachment is considered successful as 11888 long as the parent resource accepts it partially. For example, Gateway 11889 listeners can restrict which Routes can attach to them by Route kind, 11890 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 11891 from the referencing Route, the Route MUST be considered successfully 11892 attached. If no Gateway listeners accept attachment from this Route, 11893 the Route MUST be considered detached from the Gateway. 11894 11895 11896 Support: Extended 11897 format: int32 11898 maximum: 65535 11899 minimum: 1 11900 type: integer 11901 sectionName: 11902 description: |- 11903 SectionName is the name of a section within the target resource. In the 11904 following resources, SectionName is interpreted as the following: 11905 11906 11907 * Gateway: Listener name. When both Port (experimental) and SectionName 11908 are specified, the name and port of the selected listener must match 11909 both specified values. 11910 * Service: Port name. When both Port (experimental) and SectionName 11911 are specified, the name and port of the selected listener must match 11912 both specified values. 11913 11914 11915 Implementations MAY choose to support attaching Routes to other resources. 11916 If that is the case, they MUST clearly document how SectionName is 11917 interpreted. 11918 11919 11920 When unspecified (empty string), this will reference the entire resource. 11921 For the purpose of status, an attachment is considered successful if at 11922 least one section in the parent resource accepts it. For example, Gateway 11923 listeners can restrict which Routes can attach to them by Route kind, 11924 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 11925 the referencing Route, the Route MUST be considered successfully 11926 attached. If no Gateway listeners accept attachment from this Route, the 11927 Route MUST be considered detached from the Gateway. 11928 11929 11930 Support: Core 11931 maxLength: 253 11932 minLength: 1 11933 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 11934 type: string 11935 required: 11936 - name 11937 type: object 11938 maxItems: 32 11939 type: array 11940 x-kubernetes-validations: 11941 - message: sectionName or port must be specified when parentRefs includes 11942 2 or more references to the same parent 11943 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 11944 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 11945 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 11946 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 11947 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 11948 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 11949 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 11950 || p2.port == 0)): true))' 11951 - message: sectionName or port must be unique when parentRefs includes 11952 2 or more references to the same parent 11953 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 11954 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 11955 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 11956 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 11957 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 11958 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 11959 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 11960 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 11961 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 11962 == p2.port)))) 11963 rules: 11964 default: 11965 - matches: 11966 - path: 11967 type: PathPrefix 11968 value: / 11969 description: Rules are a list of HTTP matchers, filters and actions. 11970 items: 11971 description: |- 11972 HTTPRouteRule defines semantics for matching an HTTP request based on 11973 conditions (matches), processing it (filters), and forwarding the request to 11974 an API object (backendRefs). 11975 properties: 11976 backendRefs: 11977 description: |- 11978 BackendRefs defines the backend(s) where matching requests should be 11979 sent. 11980 11981 11982 Failure behavior here depends on how many BackendRefs are specified and 11983 how many are invalid. 11984 11985 11986 If *all* entries in BackendRefs are invalid, and there are also no filters 11987 specified in this route rule, *all* traffic which matches this rule MUST 11988 receive a 500 status code. 11989 11990 11991 See the HTTPBackendRef definition for the rules about what makes a single 11992 HTTPBackendRef invalid. 11993 11994 11995 When a HTTPBackendRef is invalid, 500 status codes MUST be returned for 11996 requests that would have otherwise been routed to an invalid backend. If 11997 multiple backends are specified, and some are invalid, the proportion of 11998 requests that would otherwise have been routed to an invalid backend 11999 MUST receive a 500 status code. 12000 12001 12002 For example, if two backends are specified with equal weights, and one is 12003 invalid, 50 percent of traffic must receive a 500. Implementations may 12004 choose how that 50 percent is determined. 12005 12006 12007 Support: Core for Kubernetes Service 12008 12009 12010 Support: Extended for Kubernetes ServiceImport 12011 12012 12013 Support: Implementation-specific for any other resource 12014 12015 12016 Support for weight: Core 12017 items: 12018 description: |- 12019 HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. 12020 12021 12022 Note that when a namespace different than the local namespace is specified, a 12023 ReferenceGrant object is required in the referent namespace to allow that 12024 namespace's owner to accept the reference. See the ReferenceGrant 12025 documentation for details. 12026 12027 12028 <gateway:experimental:description> 12029 12030 12031 When the BackendRef points to a Kubernetes Service, implementations SHOULD 12032 honor the appProtocol field if it is set for the target Service Port. 12033 12034 12035 Implementations supporting appProtocol SHOULD recognize the Kubernetes 12036 Standard Application Protocols defined in KEP-3726. 12037 12038 12039 If a Service appProtocol isn't specified, an implementation MAY infer the 12040 backend protocol through its own means. Implementations MAY infer the 12041 protocol from the Route type referring to the backend Service. 12042 12043 12044 If a Route is not able to send traffic to the backend using the specified 12045 protocol then the backend is considered invalid. Implementations MUST set the 12046 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 12047 12048 12049 </gateway:experimental:description> 12050 properties: 12051 filters: 12052 description: |- 12053 Filters defined at this level should be executed if and only if the 12054 request is being forwarded to the backend defined here. 12055 12056 12057 Support: Implementation-specific (For broader support of filters, use the 12058 Filters field in HTTPRouteRule.) 12059 items: 12060 description: |- 12061 HTTPRouteFilter defines processing steps that must be completed during the 12062 request or response lifecycle. HTTPRouteFilters are meant as an extension 12063 point to express processing that may be done in Gateway implementations. Some 12064 examples include request or response modification, implementing 12065 authentication strategies, rate-limiting, and traffic shaping. API 12066 guarantee/conformance is defined based on the type of the filter. 12067 properties: 12068 extensionRef: 12069 description: |- 12070 ExtensionRef is an optional, implementation-specific extension to the 12071 "filter" behavior. For example, resource "myroutefilter" in group 12072 "networking.example.net"). ExtensionRef MUST NOT be used for core and 12073 extended filters. 12074 12075 12076 This filter can be used multiple times within the same rule. 12077 12078 12079 Support: Implementation-specific 12080 properties: 12081 group: 12082 description: |- 12083 Group is the group of the referent. For example, "gateway.networking.k8s.io". 12084 When unspecified or empty string, core API group is inferred. 12085 maxLength: 253 12086 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 12087 type: string 12088 kind: 12089 description: Kind is kind of the referent. For 12090 example "HTTPRoute" or "Service". 12091 maxLength: 63 12092 minLength: 1 12093 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 12094 type: string 12095 name: 12096 description: Name is the name of the referent. 12097 maxLength: 253 12098 minLength: 1 12099 type: string 12100 required: 12101 - group 12102 - kind 12103 - name 12104 type: object 12105 requestHeaderModifier: 12106 description: |- 12107 RequestHeaderModifier defines a schema for a filter that modifies request 12108 headers. 12109 12110 12111 Support: Core 12112 properties: 12113 add: 12114 description: |- 12115 Add adds the given header(s) (name, value) to the request 12116 before the action. It appends to any existing values associated 12117 with the header name. 12118 12119 12120 Input: 12121 GET /foo HTTP/1.1 12122 my-header: foo 12123 12124 12125 Config: 12126 add: 12127 - name: "my-header" 12128 value: "bar,baz" 12129 12130 12131 Output: 12132 GET /foo HTTP/1.1 12133 my-header: foo,bar,baz 12134 items: 12135 description: HTTPHeader represents an HTTP 12136 Header name and value as defined by RFC 12137 7230. 12138 properties: 12139 name: 12140 description: |- 12141 Name is the name of the HTTP Header to be matched. Name matching MUST be 12142 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 12143 12144 12145 If multiple entries specify equivalent header names, the first entry with 12146 an equivalent name MUST be considered for a match. Subsequent entries 12147 with an equivalent header name MUST be ignored. Due to the 12148 case-insensitivity of header names, "foo" and "Foo" are considered 12149 equivalent. 12150 maxLength: 256 12151 minLength: 1 12152 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 12153 type: string 12154 value: 12155 description: Value is the value of HTTP 12156 Header to be matched. 12157 maxLength: 4096 12158 minLength: 1 12159 type: string 12160 required: 12161 - name 12162 - value 12163 type: object 12164 maxItems: 16 12165 type: array 12166 x-kubernetes-list-map-keys: 12167 - name 12168 x-kubernetes-list-type: map 12169 remove: 12170 description: |- 12171 Remove the given header(s) from the HTTP request before the action. The 12172 value of Remove is a list of HTTP header names. Note that the header 12173 names are case-insensitive (see 12174 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 12175 12176 12177 Input: 12178 GET /foo HTTP/1.1 12179 my-header1: foo 12180 my-header2: bar 12181 my-header3: baz 12182 12183 12184 Config: 12185 remove: ["my-header1", "my-header3"] 12186 12187 12188 Output: 12189 GET /foo HTTP/1.1 12190 my-header2: bar 12191 items: 12192 type: string 12193 maxItems: 16 12194 type: array 12195 x-kubernetes-list-type: set 12196 set: 12197 description: |- 12198 Set overwrites the request with the given header (name, value) 12199 before the action. 12200 12201 12202 Input: 12203 GET /foo HTTP/1.1 12204 my-header: foo 12205 12206 12207 Config: 12208 set: 12209 - name: "my-header" 12210 value: "bar" 12211 12212 12213 Output: 12214 GET /foo HTTP/1.1 12215 my-header: bar 12216 items: 12217 description: HTTPHeader represents an HTTP 12218 Header name and value as defined by RFC 12219 7230. 12220 properties: 12221 name: 12222 description: |- 12223 Name is the name of the HTTP Header to be matched. Name matching MUST be 12224 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 12225 12226 12227 If multiple entries specify equivalent header names, the first entry with 12228 an equivalent name MUST be considered for a match. Subsequent entries 12229 with an equivalent header name MUST be ignored. Due to the 12230 case-insensitivity of header names, "foo" and "Foo" are considered 12231 equivalent. 12232 maxLength: 256 12233 minLength: 1 12234 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 12235 type: string 12236 value: 12237 description: Value is the value of HTTP 12238 Header to be matched. 12239 maxLength: 4096 12240 minLength: 1 12241 type: string 12242 required: 12243 - name 12244 - value 12245 type: object 12246 maxItems: 16 12247 type: array 12248 x-kubernetes-list-map-keys: 12249 - name 12250 x-kubernetes-list-type: map 12251 type: object 12252 requestMirror: 12253 description: |- 12254 RequestMirror defines a schema for a filter that mirrors requests. 12255 Requests are sent to the specified destination, but responses from 12256 that destination are ignored. 12257 12258 12259 This filter can be used multiple times within the same rule. Note that 12260 not all implementations will be able to support mirroring to multiple 12261 backends. 12262 12263 12264 Support: Extended 12265 properties: 12266 backendRef: 12267 description: |- 12268 BackendRef references a resource where mirrored requests are sent. 12269 12270 12271 Mirrored requests must be sent only to a single destination endpoint 12272 within this BackendRef, irrespective of how many endpoints are present 12273 within this BackendRef. 12274 12275 12276 If the referent cannot be found, this BackendRef is invalid and must be 12277 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 12278 condition on the Route status is set to `status: False` and not configure 12279 this backend in the underlying implementation. 12280 12281 12282 If there is a cross-namespace reference to an *existing* object 12283 that is not allowed by a ReferenceGrant, the controller must ensure the 12284 "ResolvedRefs" condition on the Route is set to `status: False`, 12285 with the "RefNotPermitted" reason and not configure this backend in the 12286 underlying implementation. 12287 12288 12289 In either error case, the Message of the `ResolvedRefs` Condition 12290 should be used to provide more detail about the problem. 12291 12292 12293 Support: Extended for Kubernetes Service 12294 12295 12296 Support: Implementation-specific for any other resource 12297 properties: 12298 group: 12299 default: "" 12300 description: |- 12301 Group is the group of the referent. For example, "gateway.networking.k8s.io". 12302 When unspecified or empty string, core API group is inferred. 12303 maxLength: 253 12304 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 12305 type: string 12306 kind: 12307 default: Service 12308 description: |- 12309 Kind is the Kubernetes resource kind of the referent. For example 12310 "Service". 12311 12312 12313 Defaults to "Service" when not specified. 12314 12315 12316 ExternalName services can refer to CNAME DNS records that may live 12317 outside of the cluster and as such are difficult to reason about in 12318 terms of conformance. They also may not be safe to forward to (see 12319 CVE-2021-25740 for more information). Implementations SHOULD NOT 12320 support ExternalName Services. 12321 12322 12323 Support: Core (Services with a type other than ExternalName) 12324 12325 12326 Support: Implementation-specific (Services with type ExternalName) 12327 maxLength: 63 12328 minLength: 1 12329 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 12330 type: string 12331 name: 12332 description: Name is the name of the referent. 12333 maxLength: 253 12334 minLength: 1 12335 type: string 12336 namespace: 12337 description: |- 12338 Namespace is the namespace of the backend. When unspecified, the local 12339 namespace is inferred. 12340 12341 12342 Note that when a namespace different than the local namespace is specified, 12343 a ReferenceGrant object is required in the referent namespace to allow that 12344 namespace's owner to accept the reference. See the ReferenceGrant 12345 documentation for details. 12346 12347 12348 Support: Core 12349 maxLength: 63 12350 minLength: 1 12351 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 12352 type: string 12353 port: 12354 description: |- 12355 Port specifies the destination port number to use for this resource. 12356 Port is required when the referent is a Kubernetes Service. In this 12357 case, the port number is the service port number, not the target port. 12358 For other resources, destination port might be derived from the referent 12359 resource or this field. 12360 format: int32 12361 maximum: 65535 12362 minimum: 1 12363 type: integer 12364 required: 12365 - name 12366 type: object 12367 x-kubernetes-validations: 12368 - message: Must have port for Service reference 12369 rule: '(size(self.group) == 0 && self.kind 12370 == ''Service'') ? has(self.port) : true' 12371 required: 12372 - backendRef 12373 type: object 12374 requestRedirect: 12375 description: |- 12376 RequestRedirect defines a schema for a filter that responds to the 12377 request with an HTTP redirection. 12378 12379 12380 Support: Core 12381 properties: 12382 hostname: 12383 description: |- 12384 Hostname is the hostname to be used in the value of the `Location` 12385 header in the response. 12386 When empty, the hostname in the `Host` header of the request is used. 12387 12388 12389 Support: Core 12390 maxLength: 253 12391 minLength: 1 12392 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 12393 type: string 12394 path: 12395 description: |- 12396 Path defines parameters used to modify the path of the incoming request. 12397 The modified path is then used to construct the `Location` header. When 12398 empty, the request path is used as-is. 12399 12400 12401 Support: Extended 12402 properties: 12403 replaceFullPath: 12404 description: |- 12405 ReplaceFullPath specifies the value with which to replace the full path 12406 of a request during a rewrite or redirect. 12407 maxLength: 1024 12408 type: string 12409 replacePrefixMatch: 12410 description: |- 12411 ReplacePrefixMatch specifies the value with which to replace the prefix 12412 match of a request during a rewrite or redirect. For example, a request 12413 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 12414 of "/xyz" would be modified to "/xyz/bar". 12415 12416 12417 Note that this matches the behavior of the PathPrefix match type. This 12418 matches full path elements. A path element refers to the list of labels 12419 in the path split by the `/` separator. When specified, a trailing `/` is 12420 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 12421 match the prefix `/abc`, but the path `/abcd` would not. 12422 12423 12424 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 12425 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 12426 the implementation setting the Accepted Condition for the Route to `status: False`. 12427 12428 12429 Request Path | Prefix Match | Replace Prefix | Modified Path 12430 -------------|--------------|----------------|---------- 12431 /foo/bar | /foo | /xyz | /xyz/bar 12432 /foo/bar | /foo | /xyz/ | /xyz/bar 12433 /foo/bar | /foo/ | /xyz | /xyz/bar 12434 /foo/bar | /foo/ | /xyz/ | /xyz/bar 12435 /foo | /foo | /xyz | /xyz 12436 /foo/ | /foo | /xyz | /xyz/ 12437 /foo/bar | /foo | <empty string> | /bar 12438 /foo/ | /foo | <empty string> | / 12439 /foo | /foo | <empty string> | / 12440 /foo/ | /foo | / | / 12441 /foo | /foo | / | / 12442 maxLength: 1024 12443 type: string 12444 type: 12445 description: |- 12446 Type defines the type of path modifier. Additional types may be 12447 added in a future release of the API. 12448 12449 12450 Note that values may be added to this enum, implementations 12451 must ensure that unknown values will not cause a crash. 12452 12453 12454 Unknown values here must result in the implementation setting the 12455 Accepted Condition for the Route to `status: False`, with a 12456 Reason of `UnsupportedValue`. 12457 enum: 12458 - ReplaceFullPath 12459 - ReplacePrefixMatch 12460 type: string 12461 required: 12462 - type 12463 type: object 12464 x-kubernetes-validations: 12465 - message: replaceFullPath must be specified 12466 when type is set to 'ReplaceFullPath' 12467 rule: 'self.type == ''ReplaceFullPath'' ? 12468 has(self.replaceFullPath) : true' 12469 - message: type must be 'ReplaceFullPath' when 12470 replaceFullPath is set 12471 rule: 'has(self.replaceFullPath) ? self.type 12472 == ''ReplaceFullPath'' : true' 12473 - message: replacePrefixMatch must be specified 12474 when type is set to 'ReplacePrefixMatch' 12475 rule: 'self.type == ''ReplacePrefixMatch'' 12476 ? has(self.replacePrefixMatch) : true' 12477 - message: type must be 'ReplacePrefixMatch' 12478 when replacePrefixMatch is set 12479 rule: 'has(self.replacePrefixMatch) ? self.type 12480 == ''ReplacePrefixMatch'' : true' 12481 port: 12482 description: |- 12483 Port is the port to be used in the value of the `Location` 12484 header in the response. 12485 12486 12487 If no port is specified, the redirect port MUST be derived using the 12488 following rules: 12489 12490 12491 * If redirect scheme is not-empty, the redirect port MUST be the well-known 12492 port associated with the redirect scheme. Specifically "http" to port 80 12493 and "https" to port 443. If the redirect scheme does not have a 12494 well-known port, the listener port of the Gateway SHOULD be used. 12495 * If redirect scheme is empty, the redirect port MUST be the Gateway 12496 Listener port. 12497 12498 12499 Implementations SHOULD NOT add the port number in the 'Location' 12500 header in the following cases: 12501 12502 12503 * A Location header that will use HTTP (whether that is determined via 12504 the Listener protocol or the Scheme field) _and_ use port 80. 12505 * A Location header that will use HTTPS (whether that is determined via 12506 the Listener protocol or the Scheme field) _and_ use port 443. 12507 12508 12509 Support: Extended 12510 format: int32 12511 maximum: 65535 12512 minimum: 1 12513 type: integer 12514 scheme: 12515 description: |- 12516 Scheme is the scheme to be used in the value of the `Location` header in 12517 the response. When empty, the scheme of the request is used. 12518 12519 12520 Scheme redirects can affect the port of the redirect, for more information, 12521 refer to the documentation for the port field of this filter. 12522 12523 12524 Note that values may be added to this enum, implementations 12525 must ensure that unknown values will not cause a crash. 12526 12527 12528 Unknown values here must result in the implementation setting the 12529 Accepted Condition for the Route to `status: False`, with a 12530 Reason of `UnsupportedValue`. 12531 12532 12533 Support: Extended 12534 enum: 12535 - http 12536 - https 12537 type: string 12538 statusCode: 12539 default: 302 12540 description: |- 12541 StatusCode is the HTTP status code to be used in response. 12542 12543 12544 Note that values may be added to this enum, implementations 12545 must ensure that unknown values will not cause a crash. 12546 12547 12548 Unknown values here must result in the implementation setting the 12549 Accepted Condition for the Route to `status: False`, with a 12550 Reason of `UnsupportedValue`. 12551 12552 12553 Support: Core 12554 enum: 12555 - 301 12556 - 302 12557 type: integer 12558 type: object 12559 responseHeaderModifier: 12560 description: |- 12561 ResponseHeaderModifier defines a schema for a filter that modifies response 12562 headers. 12563 12564 12565 Support: Extended 12566 properties: 12567 add: 12568 description: |- 12569 Add adds the given header(s) (name, value) to the request 12570 before the action. It appends to any existing values associated 12571 with the header name. 12572 12573 12574 Input: 12575 GET /foo HTTP/1.1 12576 my-header: foo 12577 12578 12579 Config: 12580 add: 12581 - name: "my-header" 12582 value: "bar,baz" 12583 12584 12585 Output: 12586 GET /foo HTTP/1.1 12587 my-header: foo,bar,baz 12588 items: 12589 description: HTTPHeader represents an HTTP 12590 Header name and value as defined by RFC 12591 7230. 12592 properties: 12593 name: 12594 description: |- 12595 Name is the name of the HTTP Header to be matched. Name matching MUST be 12596 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 12597 12598 12599 If multiple entries specify equivalent header names, the first entry with 12600 an equivalent name MUST be considered for a match. Subsequent entries 12601 with an equivalent header name MUST be ignored. Due to the 12602 case-insensitivity of header names, "foo" and "Foo" are considered 12603 equivalent. 12604 maxLength: 256 12605 minLength: 1 12606 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 12607 type: string 12608 value: 12609 description: Value is the value of HTTP 12610 Header to be matched. 12611 maxLength: 4096 12612 minLength: 1 12613 type: string 12614 required: 12615 - name 12616 - value 12617 type: object 12618 maxItems: 16 12619 type: array 12620 x-kubernetes-list-map-keys: 12621 - name 12622 x-kubernetes-list-type: map 12623 remove: 12624 description: |- 12625 Remove the given header(s) from the HTTP request before the action. The 12626 value of Remove is a list of HTTP header names. Note that the header 12627 names are case-insensitive (see 12628 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 12629 12630 12631 Input: 12632 GET /foo HTTP/1.1 12633 my-header1: foo 12634 my-header2: bar 12635 my-header3: baz 12636 12637 12638 Config: 12639 remove: ["my-header1", "my-header3"] 12640 12641 12642 Output: 12643 GET /foo HTTP/1.1 12644 my-header2: bar 12645 items: 12646 type: string 12647 maxItems: 16 12648 type: array 12649 x-kubernetes-list-type: set 12650 set: 12651 description: |- 12652 Set overwrites the request with the given header (name, value) 12653 before the action. 12654 12655 12656 Input: 12657 GET /foo HTTP/1.1 12658 my-header: foo 12659 12660 12661 Config: 12662 set: 12663 - name: "my-header" 12664 value: "bar" 12665 12666 12667 Output: 12668 GET /foo HTTP/1.1 12669 my-header: bar 12670 items: 12671 description: HTTPHeader represents an HTTP 12672 Header name and value as defined by RFC 12673 7230. 12674 properties: 12675 name: 12676 description: |- 12677 Name is the name of the HTTP Header to be matched. Name matching MUST be 12678 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 12679 12680 12681 If multiple entries specify equivalent header names, the first entry with 12682 an equivalent name MUST be considered for a match. Subsequent entries 12683 with an equivalent header name MUST be ignored. Due to the 12684 case-insensitivity of header names, "foo" and "Foo" are considered 12685 equivalent. 12686 maxLength: 256 12687 minLength: 1 12688 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 12689 type: string 12690 value: 12691 description: Value is the value of HTTP 12692 Header to be matched. 12693 maxLength: 4096 12694 minLength: 1 12695 type: string 12696 required: 12697 - name 12698 - value 12699 type: object 12700 maxItems: 16 12701 type: array 12702 x-kubernetes-list-map-keys: 12703 - name 12704 x-kubernetes-list-type: map 12705 type: object 12706 type: 12707 description: |- 12708 Type identifies the type of filter to apply. As with other API fields, 12709 types are classified into three conformance levels: 12710 12711 12712 - Core: Filter types and their corresponding configuration defined by 12713 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 12714 implementations must support core filters. 12715 12716 12717 - Extended: Filter types and their corresponding configuration defined by 12718 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 12719 are encouraged to support extended filters. 12720 12721 12722 - Implementation-specific: Filters that are defined and supported by 12723 specific vendors. 12724 In the future, filters showing convergence in behavior across multiple 12725 implementations will be considered for inclusion in extended or core 12726 conformance levels. Filter-specific configuration for such filters 12727 is specified using the ExtensionRef field. `Type` should be set to 12728 "ExtensionRef" for custom filters. 12729 12730 12731 Implementers are encouraged to define custom implementation types to 12732 extend the core API with implementation-specific behavior. 12733 12734 12735 If a reference to a custom filter type cannot be resolved, the filter 12736 MUST NOT be skipped. Instead, requests that would have been processed by 12737 that filter MUST receive a HTTP error response. 12738 12739 12740 Note that values may be added to this enum, implementations 12741 must ensure that unknown values will not cause a crash. 12742 12743 12744 Unknown values here must result in the implementation setting the 12745 Accepted Condition for the Route to `status: False`, with a 12746 Reason of `UnsupportedValue`. 12747 enum: 12748 - RequestHeaderModifier 12749 - ResponseHeaderModifier 12750 - RequestMirror 12751 - RequestRedirect 12752 - URLRewrite 12753 - ExtensionRef 12754 type: string 12755 urlRewrite: 12756 description: |- 12757 URLRewrite defines a schema for a filter that modifies a request during forwarding. 12758 12759 12760 Support: Extended 12761 properties: 12762 hostname: 12763 description: |- 12764 Hostname is the value to be used to replace the Host header value during 12765 forwarding. 12766 12767 12768 Support: Extended 12769 maxLength: 253 12770 minLength: 1 12771 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 12772 type: string 12773 path: 12774 description: |- 12775 Path defines a path rewrite. 12776 12777 12778 Support: Extended 12779 properties: 12780 replaceFullPath: 12781 description: |- 12782 ReplaceFullPath specifies the value with which to replace the full path 12783 of a request during a rewrite or redirect. 12784 maxLength: 1024 12785 type: string 12786 replacePrefixMatch: 12787 description: |- 12788 ReplacePrefixMatch specifies the value with which to replace the prefix 12789 match of a request during a rewrite or redirect. For example, a request 12790 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 12791 of "/xyz" would be modified to "/xyz/bar". 12792 12793 12794 Note that this matches the behavior of the PathPrefix match type. This 12795 matches full path elements. A path element refers to the list of labels 12796 in the path split by the `/` separator. When specified, a trailing `/` is 12797 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 12798 match the prefix `/abc`, but the path `/abcd` would not. 12799 12800 12801 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 12802 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 12803 the implementation setting the Accepted Condition for the Route to `status: False`. 12804 12805 12806 Request Path | Prefix Match | Replace Prefix | Modified Path 12807 -------------|--------------|----------------|---------- 12808 /foo/bar | /foo | /xyz | /xyz/bar 12809 /foo/bar | /foo | /xyz/ | /xyz/bar 12810 /foo/bar | /foo/ | /xyz | /xyz/bar 12811 /foo/bar | /foo/ | /xyz/ | /xyz/bar 12812 /foo | /foo | /xyz | /xyz 12813 /foo/ | /foo | /xyz | /xyz/ 12814 /foo/bar | /foo | <empty string> | /bar 12815 /foo/ | /foo | <empty string> | / 12816 /foo | /foo | <empty string> | / 12817 /foo/ | /foo | / | / 12818 /foo | /foo | / | / 12819 maxLength: 1024 12820 type: string 12821 type: 12822 description: |- 12823 Type defines the type of path modifier. Additional types may be 12824 added in a future release of the API. 12825 12826 12827 Note that values may be added to this enum, implementations 12828 must ensure that unknown values will not cause a crash. 12829 12830 12831 Unknown values here must result in the implementation setting the 12832 Accepted Condition for the Route to `status: False`, with a 12833 Reason of `UnsupportedValue`. 12834 enum: 12835 - ReplaceFullPath 12836 - ReplacePrefixMatch 12837 type: string 12838 required: 12839 - type 12840 type: object 12841 x-kubernetes-validations: 12842 - message: replaceFullPath must be specified 12843 when type is set to 'ReplaceFullPath' 12844 rule: 'self.type == ''ReplaceFullPath'' ? 12845 has(self.replaceFullPath) : true' 12846 - message: type must be 'ReplaceFullPath' when 12847 replaceFullPath is set 12848 rule: 'has(self.replaceFullPath) ? self.type 12849 == ''ReplaceFullPath'' : true' 12850 - message: replacePrefixMatch must be specified 12851 when type is set to 'ReplacePrefixMatch' 12852 rule: 'self.type == ''ReplacePrefixMatch'' 12853 ? has(self.replacePrefixMatch) : true' 12854 - message: type must be 'ReplacePrefixMatch' 12855 when replacePrefixMatch is set 12856 rule: 'has(self.replacePrefixMatch) ? self.type 12857 == ''ReplacePrefixMatch'' : true' 12858 type: object 12859 required: 12860 - type 12861 type: object 12862 x-kubernetes-validations: 12863 - message: filter.requestHeaderModifier must be nil 12864 if the filter.type is not RequestHeaderModifier 12865 rule: '!(has(self.requestHeaderModifier) && self.type 12866 != ''RequestHeaderModifier'')' 12867 - message: filter.requestHeaderModifier must be specified 12868 for RequestHeaderModifier filter.type 12869 rule: '!(!has(self.requestHeaderModifier) && self.type 12870 == ''RequestHeaderModifier'')' 12871 - message: filter.responseHeaderModifier must be nil 12872 if the filter.type is not ResponseHeaderModifier 12873 rule: '!(has(self.responseHeaderModifier) && self.type 12874 != ''ResponseHeaderModifier'')' 12875 - message: filter.responseHeaderModifier must be specified 12876 for ResponseHeaderModifier filter.type 12877 rule: '!(!has(self.responseHeaderModifier) && self.type 12878 == ''ResponseHeaderModifier'')' 12879 - message: filter.requestMirror must be nil if the filter.type 12880 is not RequestMirror 12881 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 12882 - message: filter.requestMirror must be specified for 12883 RequestMirror filter.type 12884 rule: '!(!has(self.requestMirror) && self.type == 12885 ''RequestMirror'')' 12886 - message: filter.requestRedirect must be nil if the 12887 filter.type is not RequestRedirect 12888 rule: '!(has(self.requestRedirect) && self.type != 12889 ''RequestRedirect'')' 12890 - message: filter.requestRedirect must be specified 12891 for RequestRedirect filter.type 12892 rule: '!(!has(self.requestRedirect) && self.type == 12893 ''RequestRedirect'')' 12894 - message: filter.urlRewrite must be nil if the filter.type 12895 is not URLRewrite 12896 rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' 12897 - message: filter.urlRewrite must be specified for URLRewrite 12898 filter.type 12899 rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' 12900 - message: filter.extensionRef must be nil if the filter.type 12901 is not ExtensionRef 12902 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 12903 - message: filter.extensionRef must be specified for 12904 ExtensionRef filter.type 12905 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 12906 maxItems: 16 12907 type: array 12908 x-kubernetes-validations: 12909 - message: May specify either httpRouteFilterRequestRedirect 12910 or httpRouteFilterRequestRewrite, but not both 12911 rule: '!(self.exists(f, f.type == ''RequestRedirect'') 12912 && self.exists(f, f.type == ''URLRewrite''))' 12913 - message: May specify either httpRouteFilterRequestRedirect 12914 or httpRouteFilterRequestRewrite, but not both 12915 rule: '!(self.exists(f, f.type == ''RequestRedirect'') 12916 && self.exists(f, f.type == ''URLRewrite''))' 12917 - message: RequestHeaderModifier filter cannot be repeated 12918 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 12919 <= 1 12920 - message: ResponseHeaderModifier filter cannot be repeated 12921 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 12922 <= 1 12923 - message: RequestRedirect filter cannot be repeated 12924 rule: self.filter(f, f.type == 'RequestRedirect').size() 12925 <= 1 12926 - message: URLRewrite filter cannot be repeated 12927 rule: self.filter(f, f.type == 'URLRewrite').size() 12928 <= 1 12929 group: 12930 default: "" 12931 description: |- 12932 Group is the group of the referent. For example, "gateway.networking.k8s.io". 12933 When unspecified or empty string, core API group is inferred. 12934 maxLength: 253 12935 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 12936 type: string 12937 kind: 12938 default: Service 12939 description: |- 12940 Kind is the Kubernetes resource kind of the referent. For example 12941 "Service". 12942 12943 12944 Defaults to "Service" when not specified. 12945 12946 12947 ExternalName services can refer to CNAME DNS records that may live 12948 outside of the cluster and as such are difficult to reason about in 12949 terms of conformance. They also may not be safe to forward to (see 12950 CVE-2021-25740 for more information). Implementations SHOULD NOT 12951 support ExternalName Services. 12952 12953 12954 Support: Core (Services with a type other than ExternalName) 12955 12956 12957 Support: Implementation-specific (Services with type ExternalName) 12958 maxLength: 63 12959 minLength: 1 12960 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 12961 type: string 12962 name: 12963 description: Name is the name of the referent. 12964 maxLength: 253 12965 minLength: 1 12966 type: string 12967 namespace: 12968 description: |- 12969 Namespace is the namespace of the backend. When unspecified, the local 12970 namespace is inferred. 12971 12972 12973 Note that when a namespace different than the local namespace is specified, 12974 a ReferenceGrant object is required in the referent namespace to allow that 12975 namespace's owner to accept the reference. See the ReferenceGrant 12976 documentation for details. 12977 12978 12979 Support: Core 12980 maxLength: 63 12981 minLength: 1 12982 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 12983 type: string 12984 port: 12985 description: |- 12986 Port specifies the destination port number to use for this resource. 12987 Port is required when the referent is a Kubernetes Service. In this 12988 case, the port number is the service port number, not the target port. 12989 For other resources, destination port might be derived from the referent 12990 resource or this field. 12991 format: int32 12992 maximum: 65535 12993 minimum: 1 12994 type: integer 12995 weight: 12996 default: 1 12997 description: |- 12998 Weight specifies the proportion of requests forwarded to the referenced 12999 backend. This is computed as weight/(sum of all weights in this 13000 BackendRefs list). For non-zero values, there may be some epsilon from 13001 the exact proportion defined here depending on the precision an 13002 implementation supports. Weight is not a percentage and the sum of 13003 weights does not need to equal 100. 13004 13005 13006 If only one backend is specified and it has a weight greater than 0, 100% 13007 of the traffic is forwarded to that backend. If weight is set to 0, no 13008 traffic should be forwarded for this entry. If unspecified, weight 13009 defaults to 1. 13010 13011 13012 Support for this field varies based on the context where used. 13013 format: int32 13014 maximum: 1000000 13015 minimum: 0 13016 type: integer 13017 required: 13018 - name 13019 type: object 13020 x-kubernetes-validations: 13021 - message: Must have port for Service reference 13022 rule: '(size(self.group) == 0 && self.kind == ''Service'') 13023 ? has(self.port) : true' 13024 maxItems: 16 13025 type: array 13026 filters: 13027 description: |- 13028 Filters define the filters that are applied to requests that match 13029 this rule. 13030 13031 13032 Wherever possible, implementations SHOULD implement filters in the order 13033 they are specified. 13034 13035 13036 Implementations MAY choose to implement this ordering strictly, rejecting 13037 any combination or order of filters that can not be supported. If implementations 13038 choose a strict interpretation of filter ordering, they MUST clearly document 13039 that behavior. 13040 13041 13042 To reject an invalid combination or order of filters, implementations SHOULD 13043 consider the Route Rules with this configuration invalid. If all Route Rules 13044 in a Route are invalid, the entire Route would be considered invalid. If only 13045 a portion of Route Rules are invalid, implementations MUST set the 13046 "PartiallyInvalid" condition for the Route. 13047 13048 13049 Conformance-levels at this level are defined based on the type of filter: 13050 13051 13052 - ALL core filters MUST be supported by all implementations. 13053 - Implementers are encouraged to support extended filters. 13054 - Implementation-specific custom filters have no API guarantees across 13055 implementations. 13056 13057 13058 Specifying the same filter multiple times is not supported unless explicitly 13059 indicated in the filter. 13060 13061 13062 All filters are expected to be compatible with each other except for the 13063 URLRewrite and RequestRedirect filters, which may not be combined. If an 13064 implementation can not support other combinations of filters, they must clearly 13065 document that limitation. In cases where incompatible or unsupported 13066 filters are specified and cause the `Accepted` condition to be set to status 13067 `False`, implementations may use the `IncompatibleFilters` reason to specify 13068 this configuration error. 13069 13070 13071 Support: Core 13072 items: 13073 description: |- 13074 HTTPRouteFilter defines processing steps that must be completed during the 13075 request or response lifecycle. HTTPRouteFilters are meant as an extension 13076 point to express processing that may be done in Gateway implementations. Some 13077 examples include request or response modification, implementing 13078 authentication strategies, rate-limiting, and traffic shaping. API 13079 guarantee/conformance is defined based on the type of the filter. 13080 properties: 13081 extensionRef: 13082 description: |- 13083 ExtensionRef is an optional, implementation-specific extension to the 13084 "filter" behavior. For example, resource "myroutefilter" in group 13085 "networking.example.net"). ExtensionRef MUST NOT be used for core and 13086 extended filters. 13087 13088 13089 This filter can be used multiple times within the same rule. 13090 13091 13092 Support: Implementation-specific 13093 properties: 13094 group: 13095 description: |- 13096 Group is the group of the referent. For example, "gateway.networking.k8s.io". 13097 When unspecified or empty string, core API group is inferred. 13098 maxLength: 253 13099 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 13100 type: string 13101 kind: 13102 description: Kind is kind of the referent. For example 13103 "HTTPRoute" or "Service". 13104 maxLength: 63 13105 minLength: 1 13106 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 13107 type: string 13108 name: 13109 description: Name is the name of the referent. 13110 maxLength: 253 13111 minLength: 1 13112 type: string 13113 required: 13114 - group 13115 - kind 13116 - name 13117 type: object 13118 requestHeaderModifier: 13119 description: |- 13120 RequestHeaderModifier defines a schema for a filter that modifies request 13121 headers. 13122 13123 13124 Support: Core 13125 properties: 13126 add: 13127 description: |- 13128 Add adds the given header(s) (name, value) to the request 13129 before the action. It appends to any existing values associated 13130 with the header name. 13131 13132 13133 Input: 13134 GET /foo HTTP/1.1 13135 my-header: foo 13136 13137 13138 Config: 13139 add: 13140 - name: "my-header" 13141 value: "bar,baz" 13142 13143 13144 Output: 13145 GET /foo HTTP/1.1 13146 my-header: foo,bar,baz 13147 items: 13148 description: HTTPHeader represents an HTTP Header 13149 name and value as defined by RFC 7230. 13150 properties: 13151 name: 13152 description: |- 13153 Name is the name of the HTTP Header to be matched. Name matching MUST be 13154 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 13155 13156 13157 If multiple entries specify equivalent header names, the first entry with 13158 an equivalent name MUST be considered for a match. Subsequent entries 13159 with an equivalent header name MUST be ignored. Due to the 13160 case-insensitivity of header names, "foo" and "Foo" are considered 13161 equivalent. 13162 maxLength: 256 13163 minLength: 1 13164 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 13165 type: string 13166 value: 13167 description: Value is the value of HTTP Header 13168 to be matched. 13169 maxLength: 4096 13170 minLength: 1 13171 type: string 13172 required: 13173 - name 13174 - value 13175 type: object 13176 maxItems: 16 13177 type: array 13178 x-kubernetes-list-map-keys: 13179 - name 13180 x-kubernetes-list-type: map 13181 remove: 13182 description: |- 13183 Remove the given header(s) from the HTTP request before the action. The 13184 value of Remove is a list of HTTP header names. Note that the header 13185 names are case-insensitive (see 13186 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 13187 13188 13189 Input: 13190 GET /foo HTTP/1.1 13191 my-header1: foo 13192 my-header2: bar 13193 my-header3: baz 13194 13195 13196 Config: 13197 remove: ["my-header1", "my-header3"] 13198 13199 13200 Output: 13201 GET /foo HTTP/1.1 13202 my-header2: bar 13203 items: 13204 type: string 13205 maxItems: 16 13206 type: array 13207 x-kubernetes-list-type: set 13208 set: 13209 description: |- 13210 Set overwrites the request with the given header (name, value) 13211 before the action. 13212 13213 13214 Input: 13215 GET /foo HTTP/1.1 13216 my-header: foo 13217 13218 13219 Config: 13220 set: 13221 - name: "my-header" 13222 value: "bar" 13223 13224 13225 Output: 13226 GET /foo HTTP/1.1 13227 my-header: bar 13228 items: 13229 description: HTTPHeader represents an HTTP Header 13230 name and value as defined by RFC 7230. 13231 properties: 13232 name: 13233 description: |- 13234 Name is the name of the HTTP Header to be matched. Name matching MUST be 13235 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 13236 13237 13238 If multiple entries specify equivalent header names, the first entry with 13239 an equivalent name MUST be considered for a match. Subsequent entries 13240 with an equivalent header name MUST be ignored. Due to the 13241 case-insensitivity of header names, "foo" and "Foo" are considered 13242 equivalent. 13243 maxLength: 256 13244 minLength: 1 13245 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 13246 type: string 13247 value: 13248 description: Value is the value of HTTP Header 13249 to be matched. 13250 maxLength: 4096 13251 minLength: 1 13252 type: string 13253 required: 13254 - name 13255 - value 13256 type: object 13257 maxItems: 16 13258 type: array 13259 x-kubernetes-list-map-keys: 13260 - name 13261 x-kubernetes-list-type: map 13262 type: object 13263 requestMirror: 13264 description: |- 13265 RequestMirror defines a schema for a filter that mirrors requests. 13266 Requests are sent to the specified destination, but responses from 13267 that destination are ignored. 13268 13269 13270 This filter can be used multiple times within the same rule. Note that 13271 not all implementations will be able to support mirroring to multiple 13272 backends. 13273 13274 13275 Support: Extended 13276 properties: 13277 backendRef: 13278 description: |- 13279 BackendRef references a resource where mirrored requests are sent. 13280 13281 13282 Mirrored requests must be sent only to a single destination endpoint 13283 within this BackendRef, irrespective of how many endpoints are present 13284 within this BackendRef. 13285 13286 13287 If the referent cannot be found, this BackendRef is invalid and must be 13288 dropped from the Gateway. The controller must ensure the "ResolvedRefs" 13289 condition on the Route status is set to `status: False` and not configure 13290 this backend in the underlying implementation. 13291 13292 13293 If there is a cross-namespace reference to an *existing* object 13294 that is not allowed by a ReferenceGrant, the controller must ensure the 13295 "ResolvedRefs" condition on the Route is set to `status: False`, 13296 with the "RefNotPermitted" reason and not configure this backend in the 13297 underlying implementation. 13298 13299 13300 In either error case, the Message of the `ResolvedRefs` Condition 13301 should be used to provide more detail about the problem. 13302 13303 13304 Support: Extended for Kubernetes Service 13305 13306 13307 Support: Implementation-specific for any other resource 13308 properties: 13309 group: 13310 default: "" 13311 description: |- 13312 Group is the group of the referent. For example, "gateway.networking.k8s.io". 13313 When unspecified or empty string, core API group is inferred. 13314 maxLength: 253 13315 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 13316 type: string 13317 kind: 13318 default: Service 13319 description: |- 13320 Kind is the Kubernetes resource kind of the referent. For example 13321 "Service". 13322 13323 13324 Defaults to "Service" when not specified. 13325 13326 13327 ExternalName services can refer to CNAME DNS records that may live 13328 outside of the cluster and as such are difficult to reason about in 13329 terms of conformance. They also may not be safe to forward to (see 13330 CVE-2021-25740 for more information). Implementations SHOULD NOT 13331 support ExternalName Services. 13332 13333 13334 Support: Core (Services with a type other than ExternalName) 13335 13336 13337 Support: Implementation-specific (Services with type ExternalName) 13338 maxLength: 63 13339 minLength: 1 13340 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 13341 type: string 13342 name: 13343 description: Name is the name of the referent. 13344 maxLength: 253 13345 minLength: 1 13346 type: string 13347 namespace: 13348 description: |- 13349 Namespace is the namespace of the backend. When unspecified, the local 13350 namespace is inferred. 13351 13352 13353 Note that when a namespace different than the local namespace is specified, 13354 a ReferenceGrant object is required in the referent namespace to allow that 13355 namespace's owner to accept the reference. See the ReferenceGrant 13356 documentation for details. 13357 13358 13359 Support: Core 13360 maxLength: 63 13361 minLength: 1 13362 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 13363 type: string 13364 port: 13365 description: |- 13366 Port specifies the destination port number to use for this resource. 13367 Port is required when the referent is a Kubernetes Service. In this 13368 case, the port number is the service port number, not the target port. 13369 For other resources, destination port might be derived from the referent 13370 resource or this field. 13371 format: int32 13372 maximum: 65535 13373 minimum: 1 13374 type: integer 13375 required: 13376 - name 13377 type: object 13378 x-kubernetes-validations: 13379 - message: Must have port for Service reference 13380 rule: '(size(self.group) == 0 && self.kind == ''Service'') 13381 ? has(self.port) : true' 13382 required: 13383 - backendRef 13384 type: object 13385 requestRedirect: 13386 description: |- 13387 RequestRedirect defines a schema for a filter that responds to the 13388 request with an HTTP redirection. 13389 13390 13391 Support: Core 13392 properties: 13393 hostname: 13394 description: |- 13395 Hostname is the hostname to be used in the value of the `Location` 13396 header in the response. 13397 When empty, the hostname in the `Host` header of the request is used. 13398 13399 13400 Support: Core 13401 maxLength: 253 13402 minLength: 1 13403 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 13404 type: string 13405 path: 13406 description: |- 13407 Path defines parameters used to modify the path of the incoming request. 13408 The modified path is then used to construct the `Location` header. When 13409 empty, the request path is used as-is. 13410 13411 13412 Support: Extended 13413 properties: 13414 replaceFullPath: 13415 description: |- 13416 ReplaceFullPath specifies the value with which to replace the full path 13417 of a request during a rewrite or redirect. 13418 maxLength: 1024 13419 type: string 13420 replacePrefixMatch: 13421 description: |- 13422 ReplacePrefixMatch specifies the value with which to replace the prefix 13423 match of a request during a rewrite or redirect. For example, a request 13424 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 13425 of "/xyz" would be modified to "/xyz/bar". 13426 13427 13428 Note that this matches the behavior of the PathPrefix match type. This 13429 matches full path elements. A path element refers to the list of labels 13430 in the path split by the `/` separator. When specified, a trailing `/` is 13431 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 13432 match the prefix `/abc`, but the path `/abcd` would not. 13433 13434 13435 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 13436 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 13437 the implementation setting the Accepted Condition for the Route to `status: False`. 13438 13439 13440 Request Path | Prefix Match | Replace Prefix | Modified Path 13441 -------------|--------------|----------------|---------- 13442 /foo/bar | /foo | /xyz | /xyz/bar 13443 /foo/bar | /foo | /xyz/ | /xyz/bar 13444 /foo/bar | /foo/ | /xyz | /xyz/bar 13445 /foo/bar | /foo/ | /xyz/ | /xyz/bar 13446 /foo | /foo | /xyz | /xyz 13447 /foo/ | /foo | /xyz | /xyz/ 13448 /foo/bar | /foo | <empty string> | /bar 13449 /foo/ | /foo | <empty string> | / 13450 /foo | /foo | <empty string> | / 13451 /foo/ | /foo | / | / 13452 /foo | /foo | / | / 13453 maxLength: 1024 13454 type: string 13455 type: 13456 description: |- 13457 Type defines the type of path modifier. Additional types may be 13458 added in a future release of the API. 13459 13460 13461 Note that values may be added to this enum, implementations 13462 must ensure that unknown values will not cause a crash. 13463 13464 13465 Unknown values here must result in the implementation setting the 13466 Accepted Condition for the Route to `status: False`, with a 13467 Reason of `UnsupportedValue`. 13468 enum: 13469 - ReplaceFullPath 13470 - ReplacePrefixMatch 13471 type: string 13472 required: 13473 - type 13474 type: object 13475 x-kubernetes-validations: 13476 - message: replaceFullPath must be specified when 13477 type is set to 'ReplaceFullPath' 13478 rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) 13479 : true' 13480 - message: type must be 'ReplaceFullPath' when replaceFullPath 13481 is set 13482 rule: 'has(self.replaceFullPath) ? self.type == 13483 ''ReplaceFullPath'' : true' 13484 - message: replacePrefixMatch must be specified when 13485 type is set to 'ReplacePrefixMatch' 13486 rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) 13487 : true' 13488 - message: type must be 'ReplacePrefixMatch' when 13489 replacePrefixMatch is set 13490 rule: 'has(self.replacePrefixMatch) ? self.type 13491 == ''ReplacePrefixMatch'' : true' 13492 port: 13493 description: |- 13494 Port is the port to be used in the value of the `Location` 13495 header in the response. 13496 13497 13498 If no port is specified, the redirect port MUST be derived using the 13499 following rules: 13500 13501 13502 * If redirect scheme is not-empty, the redirect port MUST be the well-known 13503 port associated with the redirect scheme. Specifically "http" to port 80 13504 and "https" to port 443. If the redirect scheme does not have a 13505 well-known port, the listener port of the Gateway SHOULD be used. 13506 * If redirect scheme is empty, the redirect port MUST be the Gateway 13507 Listener port. 13508 13509 13510 Implementations SHOULD NOT add the port number in the 'Location' 13511 header in the following cases: 13512 13513 13514 * A Location header that will use HTTP (whether that is determined via 13515 the Listener protocol or the Scheme field) _and_ use port 80. 13516 * A Location header that will use HTTPS (whether that is determined via 13517 the Listener protocol or the Scheme field) _and_ use port 443. 13518 13519 13520 Support: Extended 13521 format: int32 13522 maximum: 65535 13523 minimum: 1 13524 type: integer 13525 scheme: 13526 description: |- 13527 Scheme is the scheme to be used in the value of the `Location` header in 13528 the response. When empty, the scheme of the request is used. 13529 13530 13531 Scheme redirects can affect the port of the redirect, for more information, 13532 refer to the documentation for the port field of this filter. 13533 13534 13535 Note that values may be added to this enum, implementations 13536 must ensure that unknown values will not cause a crash. 13537 13538 13539 Unknown values here must result in the implementation setting the 13540 Accepted Condition for the Route to `status: False`, with a 13541 Reason of `UnsupportedValue`. 13542 13543 13544 Support: Extended 13545 enum: 13546 - http 13547 - https 13548 type: string 13549 statusCode: 13550 default: 302 13551 description: |- 13552 StatusCode is the HTTP status code to be used in response. 13553 13554 13555 Note that values may be added to this enum, implementations 13556 must ensure that unknown values will not cause a crash. 13557 13558 13559 Unknown values here must result in the implementation setting the 13560 Accepted Condition for the Route to `status: False`, with a 13561 Reason of `UnsupportedValue`. 13562 13563 13564 Support: Core 13565 enum: 13566 - 301 13567 - 302 13568 type: integer 13569 type: object 13570 responseHeaderModifier: 13571 description: |- 13572 ResponseHeaderModifier defines a schema for a filter that modifies response 13573 headers. 13574 13575 13576 Support: Extended 13577 properties: 13578 add: 13579 description: |- 13580 Add adds the given header(s) (name, value) to the request 13581 before the action. It appends to any existing values associated 13582 with the header name. 13583 13584 13585 Input: 13586 GET /foo HTTP/1.1 13587 my-header: foo 13588 13589 13590 Config: 13591 add: 13592 - name: "my-header" 13593 value: "bar,baz" 13594 13595 13596 Output: 13597 GET /foo HTTP/1.1 13598 my-header: foo,bar,baz 13599 items: 13600 description: HTTPHeader represents an HTTP Header 13601 name and value as defined by RFC 7230. 13602 properties: 13603 name: 13604 description: |- 13605 Name is the name of the HTTP Header to be matched. Name matching MUST be 13606 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 13607 13608 13609 If multiple entries specify equivalent header names, the first entry with 13610 an equivalent name MUST be considered for a match. Subsequent entries 13611 with an equivalent header name MUST be ignored. Due to the 13612 case-insensitivity of header names, "foo" and "Foo" are considered 13613 equivalent. 13614 maxLength: 256 13615 minLength: 1 13616 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 13617 type: string 13618 value: 13619 description: Value is the value of HTTP Header 13620 to be matched. 13621 maxLength: 4096 13622 minLength: 1 13623 type: string 13624 required: 13625 - name 13626 - value 13627 type: object 13628 maxItems: 16 13629 type: array 13630 x-kubernetes-list-map-keys: 13631 - name 13632 x-kubernetes-list-type: map 13633 remove: 13634 description: |- 13635 Remove the given header(s) from the HTTP request before the action. The 13636 value of Remove is a list of HTTP header names. Note that the header 13637 names are case-insensitive (see 13638 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). 13639 13640 13641 Input: 13642 GET /foo HTTP/1.1 13643 my-header1: foo 13644 my-header2: bar 13645 my-header3: baz 13646 13647 13648 Config: 13649 remove: ["my-header1", "my-header3"] 13650 13651 13652 Output: 13653 GET /foo HTTP/1.1 13654 my-header2: bar 13655 items: 13656 type: string 13657 maxItems: 16 13658 type: array 13659 x-kubernetes-list-type: set 13660 set: 13661 description: |- 13662 Set overwrites the request with the given header (name, value) 13663 before the action. 13664 13665 13666 Input: 13667 GET /foo HTTP/1.1 13668 my-header: foo 13669 13670 13671 Config: 13672 set: 13673 - name: "my-header" 13674 value: "bar" 13675 13676 13677 Output: 13678 GET /foo HTTP/1.1 13679 my-header: bar 13680 items: 13681 description: HTTPHeader represents an HTTP Header 13682 name and value as defined by RFC 7230. 13683 properties: 13684 name: 13685 description: |- 13686 Name is the name of the HTTP Header to be matched. Name matching MUST be 13687 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 13688 13689 13690 If multiple entries specify equivalent header names, the first entry with 13691 an equivalent name MUST be considered for a match. Subsequent entries 13692 with an equivalent header name MUST be ignored. Due to the 13693 case-insensitivity of header names, "foo" and "Foo" are considered 13694 equivalent. 13695 maxLength: 256 13696 minLength: 1 13697 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 13698 type: string 13699 value: 13700 description: Value is the value of HTTP Header 13701 to be matched. 13702 maxLength: 4096 13703 minLength: 1 13704 type: string 13705 required: 13706 - name 13707 - value 13708 type: object 13709 maxItems: 16 13710 type: array 13711 x-kubernetes-list-map-keys: 13712 - name 13713 x-kubernetes-list-type: map 13714 type: object 13715 type: 13716 description: |- 13717 Type identifies the type of filter to apply. As with other API fields, 13718 types are classified into three conformance levels: 13719 13720 13721 - Core: Filter types and their corresponding configuration defined by 13722 "Support: Core" in this package, e.g. "RequestHeaderModifier". All 13723 implementations must support core filters. 13724 13725 13726 - Extended: Filter types and their corresponding configuration defined by 13727 "Support: Extended" in this package, e.g. "RequestMirror". Implementers 13728 are encouraged to support extended filters. 13729 13730 13731 - Implementation-specific: Filters that are defined and supported by 13732 specific vendors. 13733 In the future, filters showing convergence in behavior across multiple 13734 implementations will be considered for inclusion in extended or core 13735 conformance levels. Filter-specific configuration for such filters 13736 is specified using the ExtensionRef field. `Type` should be set to 13737 "ExtensionRef" for custom filters. 13738 13739 13740 Implementers are encouraged to define custom implementation types to 13741 extend the core API with implementation-specific behavior. 13742 13743 13744 If a reference to a custom filter type cannot be resolved, the filter 13745 MUST NOT be skipped. Instead, requests that would have been processed by 13746 that filter MUST receive a HTTP error response. 13747 13748 13749 Note that values may be added to this enum, implementations 13750 must ensure that unknown values will not cause a crash. 13751 13752 13753 Unknown values here must result in the implementation setting the 13754 Accepted Condition for the Route to `status: False`, with a 13755 Reason of `UnsupportedValue`. 13756 enum: 13757 - RequestHeaderModifier 13758 - ResponseHeaderModifier 13759 - RequestMirror 13760 - RequestRedirect 13761 - URLRewrite 13762 - ExtensionRef 13763 type: string 13764 urlRewrite: 13765 description: |- 13766 URLRewrite defines a schema for a filter that modifies a request during forwarding. 13767 13768 13769 Support: Extended 13770 properties: 13771 hostname: 13772 description: |- 13773 Hostname is the value to be used to replace the Host header value during 13774 forwarding. 13775 13776 13777 Support: Extended 13778 maxLength: 253 13779 minLength: 1 13780 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 13781 type: string 13782 path: 13783 description: |- 13784 Path defines a path rewrite. 13785 13786 13787 Support: Extended 13788 properties: 13789 replaceFullPath: 13790 description: |- 13791 ReplaceFullPath specifies the value with which to replace the full path 13792 of a request during a rewrite or redirect. 13793 maxLength: 1024 13794 type: string 13795 replacePrefixMatch: 13796 description: |- 13797 ReplacePrefixMatch specifies the value with which to replace the prefix 13798 match of a request during a rewrite or redirect. For example, a request 13799 to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch 13800 of "/xyz" would be modified to "/xyz/bar". 13801 13802 13803 Note that this matches the behavior of the PathPrefix match type. This 13804 matches full path elements. A path element refers to the list of labels 13805 in the path split by the `/` separator. When specified, a trailing `/` is 13806 ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all 13807 match the prefix `/abc`, but the path `/abcd` would not. 13808 13809 13810 ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. 13811 Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in 13812 the implementation setting the Accepted Condition for the Route to `status: False`. 13813 13814 13815 Request Path | Prefix Match | Replace Prefix | Modified Path 13816 -------------|--------------|----------------|---------- 13817 /foo/bar | /foo | /xyz | /xyz/bar 13818 /foo/bar | /foo | /xyz/ | /xyz/bar 13819 /foo/bar | /foo/ | /xyz | /xyz/bar 13820 /foo/bar | /foo/ | /xyz/ | /xyz/bar 13821 /foo | /foo | /xyz | /xyz 13822 /foo/ | /foo | /xyz | /xyz/ 13823 /foo/bar | /foo | <empty string> | /bar 13824 /foo/ | /foo | <empty string> | / 13825 /foo | /foo | <empty string> | / 13826 /foo/ | /foo | / | / 13827 /foo | /foo | / | / 13828 maxLength: 1024 13829 type: string 13830 type: 13831 description: |- 13832 Type defines the type of path modifier. Additional types may be 13833 added in a future release of the API. 13834 13835 13836 Note that values may be added to this enum, implementations 13837 must ensure that unknown values will not cause a crash. 13838 13839 13840 Unknown values here must result in the implementation setting the 13841 Accepted Condition for the Route to `status: False`, with a 13842 Reason of `UnsupportedValue`. 13843 enum: 13844 - ReplaceFullPath 13845 - ReplacePrefixMatch 13846 type: string 13847 required: 13848 - type 13849 type: object 13850 x-kubernetes-validations: 13851 - message: replaceFullPath must be specified when 13852 type is set to 'ReplaceFullPath' 13853 rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) 13854 : true' 13855 - message: type must be 'ReplaceFullPath' when replaceFullPath 13856 is set 13857 rule: 'has(self.replaceFullPath) ? self.type == 13858 ''ReplaceFullPath'' : true' 13859 - message: replacePrefixMatch must be specified when 13860 type is set to 'ReplacePrefixMatch' 13861 rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) 13862 : true' 13863 - message: type must be 'ReplacePrefixMatch' when 13864 replacePrefixMatch is set 13865 rule: 'has(self.replacePrefixMatch) ? self.type 13866 == ''ReplacePrefixMatch'' : true' 13867 type: object 13868 required: 13869 - type 13870 type: object 13871 x-kubernetes-validations: 13872 - message: filter.requestHeaderModifier must be nil if the 13873 filter.type is not RequestHeaderModifier 13874 rule: '!(has(self.requestHeaderModifier) && self.type != 13875 ''RequestHeaderModifier'')' 13876 - message: filter.requestHeaderModifier must be specified 13877 for RequestHeaderModifier filter.type 13878 rule: '!(!has(self.requestHeaderModifier) && self.type == 13879 ''RequestHeaderModifier'')' 13880 - message: filter.responseHeaderModifier must be nil if the 13881 filter.type is not ResponseHeaderModifier 13882 rule: '!(has(self.responseHeaderModifier) && self.type != 13883 ''ResponseHeaderModifier'')' 13884 - message: filter.responseHeaderModifier must be specified 13885 for ResponseHeaderModifier filter.type 13886 rule: '!(!has(self.responseHeaderModifier) && self.type 13887 == ''ResponseHeaderModifier'')' 13888 - message: filter.requestMirror must be nil if the filter.type 13889 is not RequestMirror 13890 rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' 13891 - message: filter.requestMirror must be specified for RequestMirror 13892 filter.type 13893 rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' 13894 - message: filter.requestRedirect must be nil if the filter.type 13895 is not RequestRedirect 13896 rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' 13897 - message: filter.requestRedirect must be specified for RequestRedirect 13898 filter.type 13899 rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' 13900 - message: filter.urlRewrite must be nil if the filter.type 13901 is not URLRewrite 13902 rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' 13903 - message: filter.urlRewrite must be specified for URLRewrite 13904 filter.type 13905 rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' 13906 - message: filter.extensionRef must be nil if the filter.type 13907 is not ExtensionRef 13908 rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' 13909 - message: filter.extensionRef must be specified for ExtensionRef 13910 filter.type 13911 rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' 13912 maxItems: 16 13913 type: array 13914 x-kubernetes-validations: 13915 - message: May specify either httpRouteFilterRequestRedirect 13916 or httpRouteFilterRequestRewrite, but not both 13917 rule: '!(self.exists(f, f.type == ''RequestRedirect'') && 13918 self.exists(f, f.type == ''URLRewrite''))' 13919 - message: RequestHeaderModifier filter cannot be repeated 13920 rule: self.filter(f, f.type == 'RequestHeaderModifier').size() 13921 <= 1 13922 - message: ResponseHeaderModifier filter cannot be repeated 13923 rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() 13924 <= 1 13925 - message: RequestRedirect filter cannot be repeated 13926 rule: self.filter(f, f.type == 'RequestRedirect').size() <= 13927 1 13928 - message: URLRewrite filter cannot be repeated 13929 rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 13930 matches: 13931 default: 13932 - path: 13933 type: PathPrefix 13934 value: / 13935 description: |- 13936 Matches define conditions used for matching the rule against incoming 13937 HTTP requests. Each match is independent, i.e. this rule will be matched 13938 if **any** one of the matches is satisfied. 13939 13940 13941 For example, take the following matches configuration: 13942 13943 13944 ``` 13945 matches: 13946 - path: 13947 value: "/foo" 13948 headers: 13949 - name: "version" 13950 value: "v2" 13951 - path: 13952 value: "/v2/foo" 13953 ``` 13954 13955 13956 For a request to match against this rule, a request must satisfy 13957 EITHER of the two conditions: 13958 13959 13960 - path prefixed with `/foo` AND contains the header `version: v2` 13961 - path prefix of `/v2/foo` 13962 13963 13964 See the documentation for HTTPRouteMatch on how to specify multiple 13965 match conditions that should be ANDed together. 13966 13967 13968 If no matches are specified, the default is a prefix 13969 path match on "/", which has the effect of matching every 13970 HTTP request. 13971 13972 13973 Proxy or Load Balancer routing configuration generated from HTTPRoutes 13974 MUST prioritize matches based on the following criteria, continuing on 13975 ties. Across all rules specified on applicable Routes, precedence must be 13976 given to the match having: 13977 13978 13979 * "Exact" path match. 13980 * "Prefix" path match with largest number of characters. 13981 * Method match. 13982 * Largest number of header matches. 13983 * Largest number of query param matches. 13984 13985 13986 Note: The precedence of RegularExpression path matches are implementation-specific. 13987 13988 13989 If ties still exist across multiple Routes, matching precedence MUST be 13990 determined in order of the following criteria, continuing on ties: 13991 13992 13993 * The oldest Route based on creation timestamp. 13994 * The Route appearing first in alphabetical order by 13995 "{namespace}/{name}". 13996 13997 13998 If ties still exist within an HTTPRoute, matching precedence MUST be granted 13999 to the FIRST matching rule (in list order) with a match meeting the above 14000 criteria. 14001 14002 14003 When no rules matching a request have been successfully attached to the 14004 parent a request is coming from, a HTTP 404 status code MUST be returned. 14005 items: 14006 description: "HTTPRouteMatch defines the predicate used to 14007 match requests to a given\naction. Multiple match types 14008 are ANDed together, i.e. the match will\nevaluate to true 14009 only if all conditions are satisfied.\n\n\nFor example, 14010 the match below will match a HTTP request only if its path\nstarts 14011 with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t 14012 \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t 14013 \ value \"v1\"\n\n\n```" 14014 properties: 14015 headers: 14016 description: |- 14017 Headers specifies HTTP request header matchers. Multiple match values are 14018 ANDed together, meaning, a request must match all the specified headers 14019 to select the route. 14020 items: 14021 description: |- 14022 HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request 14023 headers. 14024 properties: 14025 name: 14026 description: |- 14027 Name is the name of the HTTP Header to be matched. Name matching MUST be 14028 case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). 14029 14030 14031 If multiple entries specify equivalent header names, only the first 14032 entry with an equivalent name MUST be considered for a match. Subsequent 14033 entries with an equivalent header name MUST be ignored. Due to the 14034 case-insensitivity of header names, "foo" and "Foo" are considered 14035 equivalent. 14036 14037 14038 When a header is repeated in an HTTP request, it is 14039 implementation-specific behavior as to how this is represented. 14040 Generally, proxies should follow the guidance from the RFC: 14041 https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding 14042 processing a repeated header, with special handling for "Set-Cookie". 14043 maxLength: 256 14044 minLength: 1 14045 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 14046 type: string 14047 type: 14048 default: Exact 14049 description: |- 14050 Type specifies how to match against the value of the header. 14051 14052 14053 Support: Core (Exact) 14054 14055 14056 Support: Implementation-specific (RegularExpression) 14057 14058 14059 Since RegularExpression HeaderMatchType has implementation-specific 14060 conformance, implementations can support POSIX, PCRE or any other dialects 14061 of regular expressions. Please read the implementation's documentation to 14062 determine the supported dialect. 14063 enum: 14064 - Exact 14065 - RegularExpression 14066 type: string 14067 value: 14068 description: Value is the value of HTTP Header to 14069 be matched. 14070 maxLength: 4096 14071 minLength: 1 14072 type: string 14073 required: 14074 - name 14075 - value 14076 type: object 14077 maxItems: 16 14078 type: array 14079 x-kubernetes-list-map-keys: 14080 - name 14081 x-kubernetes-list-type: map 14082 method: 14083 description: |- 14084 Method specifies HTTP method matcher. 14085 When specified, this route will be matched only if the request has the 14086 specified method. 14087 14088 14089 Support: Extended 14090 enum: 14091 - GET 14092 - HEAD 14093 - POST 14094 - PUT 14095 - DELETE 14096 - CONNECT 14097 - OPTIONS 14098 - TRACE 14099 - PATCH 14100 type: string 14101 path: 14102 default: 14103 type: PathPrefix 14104 value: / 14105 description: |- 14106 Path specifies a HTTP request path matcher. If this field is not 14107 specified, a default prefix match on the "/" path is provided. 14108 properties: 14109 type: 14110 default: PathPrefix 14111 description: |- 14112 Type specifies how to match against the path Value. 14113 14114 14115 Support: Core (Exact, PathPrefix) 14116 14117 14118 Support: Implementation-specific (RegularExpression) 14119 enum: 14120 - Exact 14121 - PathPrefix 14122 - RegularExpression 14123 type: string 14124 value: 14125 default: / 14126 description: Value of the HTTP path to match against. 14127 maxLength: 1024 14128 type: string 14129 type: object 14130 x-kubernetes-validations: 14131 - message: value must be an absolute path and start with 14132 '/' when type one of ['Exact', 'PathPrefix'] 14133 rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') 14134 : true' 14135 - message: must not contain '//' when type one of ['Exact', 14136 'PathPrefix'] 14137 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') 14138 : true' 14139 - message: must not contain '/./' when type one of ['Exact', 14140 'PathPrefix'] 14141 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') 14142 : true' 14143 - message: must not contain '/../' when type one of ['Exact', 14144 'PathPrefix'] 14145 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') 14146 : true' 14147 - message: must not contain '%2f' when type one of ['Exact', 14148 'PathPrefix'] 14149 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') 14150 : true' 14151 - message: must not contain '%2F' when type one of ['Exact', 14152 'PathPrefix'] 14153 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') 14154 : true' 14155 - message: must not contain '#' when type one of ['Exact', 14156 'PathPrefix'] 14157 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') 14158 : true' 14159 - message: must not end with '/..' when type one of ['Exact', 14160 'PathPrefix'] 14161 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') 14162 : true' 14163 - message: must not end with '/.' when type one of ['Exact', 14164 'PathPrefix'] 14165 rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') 14166 : true' 14167 - message: type must be one of ['Exact', 'PathPrefix', 14168 'RegularExpression'] 14169 rule: self.type in ['Exact','PathPrefix'] || self.type 14170 == 'RegularExpression' 14171 - message: must only contain valid characters (matching 14172 ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) 14173 for types ['Exact', 'PathPrefix'] 14174 rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") 14175 : true' 14176 queryParams: 14177 description: |- 14178 QueryParams specifies HTTP query parameter matchers. Multiple match 14179 values are ANDed together, meaning, a request must match all the 14180 specified query parameters to select the route. 14181 14182 14183 Support: Extended 14184 items: 14185 description: |- 14186 HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP 14187 query parameters. 14188 properties: 14189 name: 14190 description: |- 14191 Name is the name of the HTTP query param to be matched. This must be an 14192 exact string match. (See 14193 https://tools.ietf.org/html/rfc7230#section-2.7.3). 14194 14195 14196 If multiple entries specify equivalent query param names, only the first 14197 entry with an equivalent name MUST be considered for a match. Subsequent 14198 entries with an equivalent query param name MUST be ignored. 14199 14200 14201 If a query param is repeated in an HTTP request, the behavior is 14202 purposely left undefined, since different data planes have different 14203 capabilities. However, it is *recommended* that implementations should 14204 match against the first value of the param if the data plane supports it, 14205 as this behavior is expected in other load balancing contexts outside of 14206 the Gateway API. 14207 14208 14209 Users SHOULD NOT route traffic based on repeated query params to guard 14210 themselves against potential differences in the implementations. 14211 maxLength: 256 14212 minLength: 1 14213 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ 14214 type: string 14215 type: 14216 default: Exact 14217 description: |- 14218 Type specifies how to match against the value of the query parameter. 14219 14220 14221 Support: Extended (Exact) 14222 14223 14224 Support: Implementation-specific (RegularExpression) 14225 14226 14227 Since RegularExpression QueryParamMatchType has Implementation-specific 14228 conformance, implementations can support POSIX, PCRE or any other 14229 dialects of regular expressions. Please read the implementation's 14230 documentation to determine the supported dialect. 14231 enum: 14232 - Exact 14233 - RegularExpression 14234 type: string 14235 value: 14236 description: Value is the value of HTTP query param 14237 to be matched. 14238 maxLength: 1024 14239 minLength: 1 14240 type: string 14241 required: 14242 - name 14243 - value 14244 type: object 14245 maxItems: 16 14246 type: array 14247 x-kubernetes-list-map-keys: 14248 - name 14249 x-kubernetes-list-type: map 14250 type: object 14251 maxItems: 8 14252 type: array 14253 sessionPersistence: 14254 description: |+ 14255 SessionPersistence defines and configures session persistence 14256 for the route rule. 14257 14258 14259 Support: Extended 14260 14261 14262 properties: 14263 absoluteTimeout: 14264 description: |- 14265 AbsoluteTimeout defines the absolute timeout of the persistent 14266 session. Once the AbsoluteTimeout duration has elapsed, the 14267 session becomes invalid. 14268 14269 14270 Support: Extended 14271 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 14272 type: string 14273 cookieConfig: 14274 description: |- 14275 CookieConfig provides configuration settings that are specific 14276 to cookie-based session persistence. 14277 14278 14279 Support: Core 14280 properties: 14281 lifetimeType: 14282 default: Session 14283 description: |- 14284 LifetimeType specifies whether the cookie has a permanent or 14285 session-based lifetime. A permanent cookie persists until its 14286 specified expiry time, defined by the Expires or Max-Age cookie 14287 attributes, while a session cookie is deleted when the current 14288 session ends. 14289 14290 14291 When set to "Permanent", AbsoluteTimeout indicates the 14292 cookie's lifetime via the Expires or Max-Age cookie attributes 14293 and is required. 14294 14295 14296 When set to "Session", AbsoluteTimeout indicates the 14297 absolute lifetime of the cookie tracked by the gateway and 14298 is optional. 14299 14300 14301 Support: Core for "Session" type 14302 14303 14304 Support: Extended for "Permanent" type 14305 enum: 14306 - Permanent 14307 - Session 14308 type: string 14309 type: object 14310 idleTimeout: 14311 description: |- 14312 IdleTimeout defines the idle timeout of the persistent session. 14313 Once the session has been idle for more than the specified 14314 IdleTimeout duration, the session becomes invalid. 14315 14316 14317 Support: Extended 14318 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 14319 type: string 14320 sessionName: 14321 description: |- 14322 SessionName defines the name of the persistent session token 14323 which may be reflected in the cookie or the header. Users 14324 should avoid reusing session names to prevent unintended 14325 consequences, such as rejection or unpredictable behavior. 14326 14327 14328 Support: Implementation-specific 14329 maxLength: 128 14330 type: string 14331 type: 14332 default: Cookie 14333 description: |- 14334 Type defines the type of session persistence such as through 14335 the use a header or cookie. Defaults to cookie based session 14336 persistence. 14337 14338 14339 Support: Core for "Cookie" type 14340 14341 14342 Support: Extended for "Header" type 14343 enum: 14344 - Cookie 14345 - Header 14346 type: string 14347 type: object 14348 x-kubernetes-validations: 14349 - message: AbsoluteTimeout must be specified when cookie lifetimeType 14350 is Permanent 14351 rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType 14352 != ''Permanent'' || has(self.absoluteTimeout)' 14353 timeouts: 14354 description: |+ 14355 Timeouts defines the timeouts that can be configured for an HTTP request. 14356 14357 14358 Support: Extended 14359 14360 14361 properties: 14362 backendRequest: 14363 description: |- 14364 BackendRequest specifies a timeout for an individual request from the gateway 14365 to a backend. This covers the time from when the request first starts being 14366 sent from the gateway to when the full response has been received from the backend. 14367 14368 14369 Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout 14370 completely. Implementations that cannot completely disable the timeout MUST 14371 instead interpret the zero duration as the longest possible value to which 14372 the timeout can be set. 14373 14374 14375 An entire client HTTP transaction with a gateway, covered by the Request timeout, 14376 may result in more than one call from the gateway to the destination backend, 14377 for example, if automatic retries are supported. 14378 14379 14380 Because the Request timeout encompasses the BackendRequest timeout, the value of 14381 BackendRequest must be <= the value of Request timeout. 14382 14383 14384 Support: Extended 14385 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 14386 type: string 14387 request: 14388 description: |- 14389 Request specifies the maximum duration for a gateway to respond to an HTTP request. 14390 If the gateway has not been able to respond before this deadline is met, the gateway 14391 MUST return a timeout error. 14392 14393 14394 For example, setting the `rules.timeouts.request` field to the value `10s` in an 14395 `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds 14396 to complete. 14397 14398 14399 Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout 14400 completely. Implementations that cannot completely disable the timeout MUST 14401 instead interpret the zero duration as the longest possible value to which 14402 the timeout can be set. 14403 14404 14405 This timeout is intended to cover as close to the whole request-response transaction 14406 as possible although an implementation MAY choose to start the timeout after the entire 14407 request stream has been received instead of immediately after the transaction is 14408 initiated by the client. 14409 14410 14411 When this field is unspecified, request timeout behavior is implementation-specific. 14412 14413 14414 Support: Extended 14415 pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ 14416 type: string 14417 type: object 14418 x-kubernetes-validations: 14419 - message: backendRequest timeout cannot be longer than request 14420 timeout 14421 rule: '!(has(self.request) && has(self.backendRequest) && 14422 duration(self.request) != duration(''0s'') && duration(self.backendRequest) 14423 > duration(self.request))' 14424 type: object 14425 x-kubernetes-validations: 14426 - message: RequestRedirect filter must not be used together with 14427 backendRefs 14428 rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? 14429 (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): 14430 true' 14431 - message: When using RequestRedirect filter with path.replacePrefixMatch, 14432 exactly one PathPrefix match must be specified 14433 rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) 14434 && has(f.requestRedirect.path) && f.requestRedirect.path.type 14435 == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) 14436 ? ((size(self.matches) != 1 || !has(self.matches[0].path) || 14437 self.matches[0].path.type != ''PathPrefix'') ? false : true) 14438 : true' 14439 - message: When using URLRewrite filter with path.replacePrefixMatch, 14440 exactly one PathPrefix match must be specified 14441 rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) 14442 && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' 14443 && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) 14444 != 1 || !has(self.matches[0].path) || self.matches[0].path.type 14445 != ''PathPrefix'') ? false : true) : true' 14446 - message: Within backendRefs, when using RequestRedirect filter 14447 with path.replacePrefixMatch, exactly one PathPrefix match must 14448 be specified 14449 rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, 14450 (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) 14451 && has(f.requestRedirect.path) && f.requestRedirect.path.type 14452 == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) 14453 )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) 14454 || self.matches[0].path.type != ''PathPrefix'') ? false : true) 14455 : true' 14456 - message: Within backendRefs, When using URLRewrite filter with 14457 path.replacePrefixMatch, exactly one PathPrefix match must be 14458 specified 14459 rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, 14460 (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) 14461 && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' 14462 && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) 14463 != 1 || !has(self.matches[0].path) || self.matches[0].path.type 14464 != ''PathPrefix'') ? false : true) : true' 14465 maxItems: 16 14466 type: array 14467 type: object 14468 status: 14469 description: Status defines the current state of HTTPRoute. 14470 properties: 14471 parents: 14472 description: |- 14473 Parents is a list of parent resources (usually Gateways) that are 14474 associated with the route, and the status of the route with respect to 14475 each parent. When this route attaches to a parent, the controller that 14476 manages the parent must add an entry to this list when the controller 14477 first sees the route and should update the entry as appropriate when the 14478 route or gateway is modified. 14479 14480 14481 Note that parent references that cannot be resolved by an implementation 14482 of this API will not be added to this list. Implementations of this API 14483 can only populate Route status for the Gateways/parent resources they are 14484 responsible for. 14485 14486 14487 A maximum of 32 Gateways will be represented in this list. An empty list 14488 means the route has not been attached to any Gateway. 14489 items: 14490 description: |- 14491 RouteParentStatus describes the status of a route with respect to an 14492 associated Parent. 14493 properties: 14494 conditions: 14495 description: |- 14496 Conditions describes the status of the route with respect to the Gateway. 14497 Note that the route's availability is also subject to the Gateway's own 14498 status conditions and listener status. 14499 14500 14501 If the Route's ParentRef specifies an existing Gateway that supports 14502 Routes of this kind AND that Gateway's controller has sufficient access, 14503 then that Gateway's controller MUST set the "Accepted" condition on the 14504 Route, to indicate whether the route has been accepted or rejected by the 14505 Gateway, and why. 14506 14507 14508 A Route MUST be considered "Accepted" if at least one of the Route's 14509 rules is implemented by the Gateway. 14510 14511 14512 There are a number of cases where the "Accepted" condition may not be set 14513 due to lack of controller visibility, that includes when: 14514 14515 14516 * The Route refers to a non-existent parent. 14517 * The Route is of a type that the controller does not support. 14518 * The Route is in a namespace the controller does not have access to. 14519 items: 14520 description: "Condition contains details for one aspect of 14521 the current state of this API Resource.\n---\nThis struct 14522 is intended for direct use as an array at the field path 14523 .status.conditions. For example,\n\n\n\ttype FooStatus 14524 struct{\n\t // Represents the observations of a foo's 14525 current state.\n\t // Known .status.conditions.type are: 14526 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 14527 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 14528 +listType=map\n\t // +listMapKey=type\n\t Conditions 14529 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 14530 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 14531 \ // other fields\n\t}" 14532 properties: 14533 lastTransitionTime: 14534 description: |- 14535 lastTransitionTime is the last time the condition transitioned from one status to another. 14536 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 14537 format: date-time 14538 type: string 14539 message: 14540 description: |- 14541 message is a human readable message indicating details about the transition. 14542 This may be an empty string. 14543 maxLength: 32768 14544 type: string 14545 observedGeneration: 14546 description: |- 14547 observedGeneration represents the .metadata.generation that the condition was set based upon. 14548 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 14549 with respect to the current state of the instance. 14550 format: int64 14551 minimum: 0 14552 type: integer 14553 reason: 14554 description: |- 14555 reason contains a programmatic identifier indicating the reason for the condition's last transition. 14556 Producers of specific condition types may define expected values and meanings for this field, 14557 and whether the values are considered a guaranteed API. 14558 The value should be a CamelCase string. 14559 This field may not be empty. 14560 maxLength: 1024 14561 minLength: 1 14562 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 14563 type: string 14564 status: 14565 description: status of the condition, one of True, False, 14566 Unknown. 14567 enum: 14568 - "True" 14569 - "False" 14570 - Unknown 14571 type: string 14572 type: 14573 description: |- 14574 type of condition in CamelCase or in foo.example.com/CamelCase. 14575 --- 14576 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 14577 useful (see .node.status.conditions), the ability to deconflict is important. 14578 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 14579 maxLength: 316 14580 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 14581 type: string 14582 required: 14583 - lastTransitionTime 14584 - message 14585 - reason 14586 - status 14587 - type 14588 type: object 14589 maxItems: 8 14590 minItems: 1 14591 type: array 14592 x-kubernetes-list-map-keys: 14593 - type 14594 x-kubernetes-list-type: map 14595 controllerName: 14596 description: |- 14597 ControllerName is a domain/path string that indicates the name of the 14598 controller that wrote this status. This corresponds with the 14599 controllerName field on GatewayClass. 14600 14601 14602 Example: "example.net/gateway-controller". 14603 14604 14605 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 14606 valid Kubernetes names 14607 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 14608 14609 14610 Controllers MUST populate this field when writing status. Controllers should ensure that 14611 entries to status populated with their ControllerName are cleaned up when they are no 14612 longer necessary. 14613 maxLength: 253 14614 minLength: 1 14615 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 14616 type: string 14617 parentRef: 14618 description: |- 14619 ParentRef corresponds with a ParentRef in the spec that this 14620 RouteParentStatus struct describes the status of. 14621 properties: 14622 group: 14623 default: gateway.networking.k8s.io 14624 description: |- 14625 Group is the group of the referent. 14626 When unspecified, "gateway.networking.k8s.io" is inferred. 14627 To set the core API group (such as for a "Service" kind referent), 14628 Group must be explicitly set to "" (empty string). 14629 14630 14631 Support: Core 14632 maxLength: 253 14633 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 14634 type: string 14635 kind: 14636 default: Gateway 14637 description: |- 14638 Kind is kind of the referent. 14639 14640 14641 There are two kinds of parent resources with "Core" support: 14642 14643 14644 * Gateway (Gateway conformance profile) 14645 * Service (Mesh conformance profile, ClusterIP Services only) 14646 14647 14648 Support for other resources is Implementation-Specific. 14649 maxLength: 63 14650 minLength: 1 14651 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 14652 type: string 14653 name: 14654 description: |- 14655 Name is the name of the referent. 14656 14657 14658 Support: Core 14659 maxLength: 253 14660 minLength: 1 14661 type: string 14662 namespace: 14663 description: |- 14664 Namespace is the namespace of the referent. When unspecified, this refers 14665 to the local namespace of the Route. 14666 14667 14668 Note that there are specific rules for ParentRefs which cross namespace 14669 boundaries. Cross-namespace references are only valid if they are explicitly 14670 allowed by something in the namespace they are referring to. For example: 14671 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 14672 generic way to enable any other kind of cross-namespace reference. 14673 14674 14675 14676 ParentRefs from a Route to a Service in the same namespace are "producer" 14677 routes, which apply default routing rules to inbound connections from 14678 any namespace to the Service. 14679 14680 14681 ParentRefs from a Route to a Service in a different namespace are 14682 "consumer" routes, and these routing rules are only applied to outbound 14683 connections originating from the same namespace as the Route, for which 14684 the intended destination of the connections are a Service targeted as a 14685 ParentRef of the Route. 14686 14687 14688 14689 Support: Core 14690 maxLength: 63 14691 minLength: 1 14692 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 14693 type: string 14694 port: 14695 description: |- 14696 Port is the network port this Route targets. It can be interpreted 14697 differently based on the type of parent resource. 14698 14699 14700 When the parent resource is a Gateway, this targets all listeners 14701 listening on the specified port that also support this kind of Route(and 14702 select this Route). It's not recommended to set `Port` unless the 14703 networking behaviors specified in a Route must apply to a specific port 14704 as opposed to a listener(s) whose port(s) may be changed. When both Port 14705 and SectionName are specified, the name and port of the selected listener 14706 must match both specified values. 14707 14708 14709 14710 When the parent resource is a Service, this targets a specific port in the 14711 Service spec. When both Port (experimental) and SectionName are specified, 14712 the name and port of the selected port must match both specified values. 14713 14714 14715 14716 Implementations MAY choose to support other parent resources. 14717 Implementations supporting other types of parent resources MUST clearly 14718 document how/if Port is interpreted. 14719 14720 14721 For the purpose of status, an attachment is considered successful as 14722 long as the parent resource accepts it partially. For example, Gateway 14723 listeners can restrict which Routes can attach to them by Route kind, 14724 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 14725 from the referencing Route, the Route MUST be considered successfully 14726 attached. If no Gateway listeners accept attachment from this Route, 14727 the Route MUST be considered detached from the Gateway. 14728 14729 14730 Support: Extended 14731 format: int32 14732 maximum: 65535 14733 minimum: 1 14734 type: integer 14735 sectionName: 14736 description: |- 14737 SectionName is the name of a section within the target resource. In the 14738 following resources, SectionName is interpreted as the following: 14739 14740 14741 * Gateway: Listener name. When both Port (experimental) and SectionName 14742 are specified, the name and port of the selected listener must match 14743 both specified values. 14744 * Service: Port name. When both Port (experimental) and SectionName 14745 are specified, the name and port of the selected listener must match 14746 both specified values. 14747 14748 14749 Implementations MAY choose to support attaching Routes to other resources. 14750 If that is the case, they MUST clearly document how SectionName is 14751 interpreted. 14752 14753 14754 When unspecified (empty string), this will reference the entire resource. 14755 For the purpose of status, an attachment is considered successful if at 14756 least one section in the parent resource accepts it. For example, Gateway 14757 listeners can restrict which Routes can attach to them by Route kind, 14758 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 14759 the referencing Route, the Route MUST be considered successfully 14760 attached. If no Gateway listeners accept attachment from this Route, the 14761 Route MUST be considered detached from the Gateway. 14762 14763 14764 Support: Core 14765 maxLength: 253 14766 minLength: 1 14767 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 14768 type: string 14769 required: 14770 - name 14771 type: object 14772 required: 14773 - controllerName 14774 - parentRef 14775 type: object 14776 maxItems: 32 14777 type: array 14778 required: 14779 - parents 14780 type: object 14781 required: 14782 - spec 14783 type: object 14784 served: true 14785 storage: false 14786 subresources: 14787 status: {} 14788 status: 14789 acceptedNames: 14790 kind: "" 14791 plural: "" 14792 conditions: null 14793 storedVersions: null 14794 --- 14795 apiVersion: apiextensions.k8s.io/v1 14796 kind: CustomResourceDefinition 14797 metadata: 14798 annotations: 14799 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 14800 gateway.networking.k8s.io/bundle-version: v1.1.0 14801 gateway.networking.k8s.io/channel: experimental 14802 creationTimestamp: null 14803 name: referencegrants.gateway.networking.k8s.io 14804 spec: 14805 group: gateway.networking.k8s.io 14806 names: 14807 categories: 14808 - gateway-api 14809 kind: ReferenceGrant 14810 listKind: ReferenceGrantList 14811 plural: referencegrants 14812 shortNames: 14813 - refgrant 14814 singular: referencegrant 14815 scope: Namespaced 14816 versions: 14817 - additionalPrinterColumns: 14818 - jsonPath: .metadata.creationTimestamp 14819 name: Age 14820 type: date 14821 deprecated: true 14822 deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated 14823 and will be removed in a future release of the API. Please upgrade to v1beta1. 14824 name: v1alpha2 14825 schema: 14826 openAPIV3Schema: 14827 description: |- 14828 ReferenceGrant identifies kinds of resources in other namespaces that are 14829 trusted to reference the specified kinds of resources in the same namespace 14830 as the policy. 14831 14832 14833 Each ReferenceGrant can be used to represent a unique trust relationship. 14834 Additional Reference Grants can be used to add to the set of trusted 14835 sources of inbound references for the namespace they are defined within. 14836 14837 14838 A ReferenceGrant is required for all cross-namespace references in Gateway API 14839 (with the exception of cross-namespace Route-Gateway attachment, which is 14840 governed by the AllowedRoutes configuration on the Gateway, and cross-namespace 14841 Service ParentRefs on a "consumer" mesh Route, which defines routing rules 14842 applicable only to workloads in the Route namespace). ReferenceGrants allowing 14843 a reference from a Route to a Service are only applicable to BackendRefs. 14844 14845 14846 ReferenceGrant is a form of runtime verification allowing users to assert 14847 which cross-namespace object references are permitted. Implementations that 14848 support ReferenceGrant MUST NOT permit cross-namespace references which have 14849 no grant, and MUST respond to the removal of a grant by revoking the access 14850 that the grant allowed. 14851 properties: 14852 apiVersion: 14853 description: |- 14854 APIVersion defines the versioned schema of this representation of an object. 14855 Servers should convert recognized schemas to the latest internal value, and 14856 may reject unrecognized values. 14857 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 14858 type: string 14859 kind: 14860 description: |- 14861 Kind is a string value representing the REST resource this object represents. 14862 Servers may infer this from the endpoint the client submits requests to. 14863 Cannot be updated. 14864 In CamelCase. 14865 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 14866 type: string 14867 metadata: 14868 type: object 14869 spec: 14870 description: Spec defines the desired state of ReferenceGrant. 14871 properties: 14872 from: 14873 description: |- 14874 From describes the trusted namespaces and kinds that can reference the 14875 resources described in "To". Each entry in this list MUST be considered 14876 to be an additional place that references can be valid from, or to put 14877 this another way, entries MUST be combined using OR. 14878 14879 14880 Support: Core 14881 items: 14882 description: ReferenceGrantFrom describes trusted namespaces and 14883 kinds. 14884 properties: 14885 group: 14886 description: |- 14887 Group is the group of the referent. 14888 When empty, the Kubernetes core API group is inferred. 14889 14890 14891 Support: Core 14892 maxLength: 253 14893 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 14894 type: string 14895 kind: 14896 description: |- 14897 Kind is the kind of the referent. Although implementations may support 14898 additional resources, the following types are part of the "Core" 14899 support level for this field. 14900 14901 14902 When used to permit a SecretObjectReference: 14903 14904 14905 * Gateway 14906 14907 14908 When used to permit a BackendObjectReference: 14909 14910 14911 * GRPCRoute 14912 * HTTPRoute 14913 * TCPRoute 14914 * TLSRoute 14915 * UDPRoute 14916 maxLength: 63 14917 minLength: 1 14918 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 14919 type: string 14920 namespace: 14921 description: |- 14922 Namespace is the namespace of the referent. 14923 14924 14925 Support: Core 14926 maxLength: 63 14927 minLength: 1 14928 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 14929 type: string 14930 required: 14931 - group 14932 - kind 14933 - namespace 14934 type: object 14935 maxItems: 16 14936 minItems: 1 14937 type: array 14938 to: 14939 description: |- 14940 To describes the resources that may be referenced by the resources 14941 described in "From". Each entry in this list MUST be considered to be an 14942 additional place that references can be valid to, or to put this another 14943 way, entries MUST be combined using OR. 14944 14945 14946 Support: Core 14947 items: 14948 description: |- 14949 ReferenceGrantTo describes what Kinds are allowed as targets of the 14950 references. 14951 properties: 14952 group: 14953 description: |- 14954 Group is the group of the referent. 14955 When empty, the Kubernetes core API group is inferred. 14956 14957 14958 Support: Core 14959 maxLength: 253 14960 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 14961 type: string 14962 kind: 14963 description: |- 14964 Kind is the kind of the referent. Although implementations may support 14965 additional resources, the following types are part of the "Core" 14966 support level for this field: 14967 14968 14969 * Secret when used to permit a SecretObjectReference 14970 * Service when used to permit a BackendObjectReference 14971 maxLength: 63 14972 minLength: 1 14973 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 14974 type: string 14975 name: 14976 description: |- 14977 Name is the name of the referent. When unspecified, this policy 14978 refers to all resources of the specified Group and Kind in the local 14979 namespace. 14980 maxLength: 253 14981 minLength: 1 14982 type: string 14983 required: 14984 - group 14985 - kind 14986 type: object 14987 maxItems: 16 14988 minItems: 1 14989 type: array 14990 required: 14991 - from 14992 - to 14993 type: object 14994 type: object 14995 served: true 14996 storage: false 14997 subresources: {} 14998 - additionalPrinterColumns: 14999 - jsonPath: .metadata.creationTimestamp 15000 name: Age 15001 type: date 15002 name: v1beta1 15003 schema: 15004 openAPIV3Schema: 15005 description: |- 15006 ReferenceGrant identifies kinds of resources in other namespaces that are 15007 trusted to reference the specified kinds of resources in the same namespace 15008 as the policy. 15009 15010 15011 Each ReferenceGrant can be used to represent a unique trust relationship. 15012 Additional Reference Grants can be used to add to the set of trusted 15013 sources of inbound references for the namespace they are defined within. 15014 15015 15016 All cross-namespace references in Gateway API (with the exception of cross-namespace 15017 Gateway-route attachment) require a ReferenceGrant. 15018 15019 15020 ReferenceGrant is a form of runtime verification allowing users to assert 15021 which cross-namespace object references are permitted. Implementations that 15022 support ReferenceGrant MUST NOT permit cross-namespace references which have 15023 no grant, and MUST respond to the removal of a grant by revoking the access 15024 that the grant allowed. 15025 properties: 15026 apiVersion: 15027 description: |- 15028 APIVersion defines the versioned schema of this representation of an object. 15029 Servers should convert recognized schemas to the latest internal value, and 15030 may reject unrecognized values. 15031 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 15032 type: string 15033 kind: 15034 description: |- 15035 Kind is a string value representing the REST resource this object represents. 15036 Servers may infer this from the endpoint the client submits requests to. 15037 Cannot be updated. 15038 In CamelCase. 15039 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 15040 type: string 15041 metadata: 15042 type: object 15043 spec: 15044 description: Spec defines the desired state of ReferenceGrant. 15045 properties: 15046 from: 15047 description: |- 15048 From describes the trusted namespaces and kinds that can reference the 15049 resources described in "To". Each entry in this list MUST be considered 15050 to be an additional place that references can be valid from, or to put 15051 this another way, entries MUST be combined using OR. 15052 15053 15054 Support: Core 15055 items: 15056 description: ReferenceGrantFrom describes trusted namespaces and 15057 kinds. 15058 properties: 15059 group: 15060 description: |- 15061 Group is the group of the referent. 15062 When empty, the Kubernetes core API group is inferred. 15063 15064 15065 Support: Core 15066 maxLength: 253 15067 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15068 type: string 15069 kind: 15070 description: |- 15071 Kind is the kind of the referent. Although implementations may support 15072 additional resources, the following types are part of the "Core" 15073 support level for this field. 15074 15075 15076 When used to permit a SecretObjectReference: 15077 15078 15079 * Gateway 15080 15081 15082 When used to permit a BackendObjectReference: 15083 15084 15085 * GRPCRoute 15086 * HTTPRoute 15087 * TCPRoute 15088 * TLSRoute 15089 * UDPRoute 15090 maxLength: 63 15091 minLength: 1 15092 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 15093 type: string 15094 namespace: 15095 description: |- 15096 Namespace is the namespace of the referent. 15097 15098 15099 Support: Core 15100 maxLength: 63 15101 minLength: 1 15102 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 15103 type: string 15104 required: 15105 - group 15106 - kind 15107 - namespace 15108 type: object 15109 maxItems: 16 15110 minItems: 1 15111 type: array 15112 to: 15113 description: |- 15114 To describes the resources that may be referenced by the resources 15115 described in "From". Each entry in this list MUST be considered to be an 15116 additional place that references can be valid to, or to put this another 15117 way, entries MUST be combined using OR. 15118 15119 15120 Support: Core 15121 items: 15122 description: |- 15123 ReferenceGrantTo describes what Kinds are allowed as targets of the 15124 references. 15125 properties: 15126 group: 15127 description: |- 15128 Group is the group of the referent. 15129 When empty, the Kubernetes core API group is inferred. 15130 15131 15132 Support: Core 15133 maxLength: 253 15134 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15135 type: string 15136 kind: 15137 description: |- 15138 Kind is the kind of the referent. Although implementations may support 15139 additional resources, the following types are part of the "Core" 15140 support level for this field: 15141 15142 15143 * Secret when used to permit a SecretObjectReference 15144 * Service when used to permit a BackendObjectReference 15145 maxLength: 63 15146 minLength: 1 15147 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 15148 type: string 15149 name: 15150 description: |- 15151 Name is the name of the referent. When unspecified, this policy 15152 refers to all resources of the specified Group and Kind in the local 15153 namespace. 15154 maxLength: 253 15155 minLength: 1 15156 type: string 15157 required: 15158 - group 15159 - kind 15160 type: object 15161 maxItems: 16 15162 minItems: 1 15163 type: array 15164 required: 15165 - from 15166 - to 15167 type: object 15168 type: object 15169 served: true 15170 storage: true 15171 subresources: {} 15172 status: 15173 acceptedNames: 15174 kind: "" 15175 plural: "" 15176 conditions: null 15177 storedVersions: null 15178 --- 15179 apiVersion: apiextensions.k8s.io/v1 15180 kind: CustomResourceDefinition 15181 metadata: 15182 annotations: 15183 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 15184 gateway.networking.k8s.io/bundle-version: v1.1.0 15185 gateway.networking.k8s.io/channel: experimental 15186 creationTimestamp: null 15187 name: tcproutes.gateway.networking.k8s.io 15188 spec: 15189 group: gateway.networking.k8s.io 15190 names: 15191 categories: 15192 - gateway-api 15193 kind: TCPRoute 15194 listKind: TCPRouteList 15195 plural: tcproutes 15196 singular: tcproute 15197 scope: Namespaced 15198 versions: 15199 - additionalPrinterColumns: 15200 - jsonPath: .metadata.creationTimestamp 15201 name: Age 15202 type: date 15203 name: v1alpha2 15204 schema: 15205 openAPIV3Schema: 15206 description: |- 15207 TCPRoute provides a way to route TCP requests. When combined with a Gateway 15208 listener, it can be used to forward connections on the port specified by the 15209 listener to a set of backends specified by the TCPRoute. 15210 properties: 15211 apiVersion: 15212 description: |- 15213 APIVersion defines the versioned schema of this representation of an object. 15214 Servers should convert recognized schemas to the latest internal value, and 15215 may reject unrecognized values. 15216 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 15217 type: string 15218 kind: 15219 description: |- 15220 Kind is a string value representing the REST resource this object represents. 15221 Servers may infer this from the endpoint the client submits requests to. 15222 Cannot be updated. 15223 In CamelCase. 15224 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 15225 type: string 15226 metadata: 15227 type: object 15228 spec: 15229 description: Spec defines the desired state of TCPRoute. 15230 properties: 15231 parentRefs: 15232 description: |+ 15233 ParentRefs references the resources (usually Gateways) that a Route wants 15234 to be attached to. Note that the referenced parent resource needs to 15235 allow this for the attachment to be complete. For Gateways, that means 15236 the Gateway needs to allow attachment from Routes of this kind and 15237 namespace. For Services, that means the Service must either be in the same 15238 namespace for a "producer" route, or the mesh implementation must support 15239 and allow "consumer" routes for the referenced Service. ReferenceGrant is 15240 not applicable for governing ParentRefs to Services - it is not possible to 15241 create a "producer" route for a Service in a different namespace from the 15242 Route. 15243 15244 15245 There are two kinds of parent resources with "Core" support: 15246 15247 15248 * Gateway (Gateway conformance profile) 15249 * Service (Mesh conformance profile, ClusterIP Services only) 15250 15251 15252 This API may be extended in the future to support additional kinds of parent 15253 resources. 15254 15255 15256 ParentRefs must be _distinct_. This means either that: 15257 15258 15259 * They select different objects. If this is the case, then parentRef 15260 entries are distinct. In terms of fields, this means that the 15261 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 15262 be unique across all parentRef entries in the Route. 15263 * They do not select different objects, but for each optional field used, 15264 each ParentRef that selects the same object must set the same set of 15265 optional fields to different values. If one ParentRef sets a 15266 combination of optional fields, all must set the same combination. 15267 15268 15269 Some examples: 15270 15271 15272 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 15273 same object must also set `sectionName`. 15274 * If one ParentRef sets `port`, all ParentRefs referencing the same 15275 object must also set `port`. 15276 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 15277 referencing the same object must also set `sectionName` and `port`. 15278 15279 15280 It is possible to separately reference multiple distinct objects that may 15281 be collapsed by an implementation. For example, some implementations may 15282 choose to merge compatible Gateway Listeners together. If that is the 15283 case, the list of routes attached to those resources should also be 15284 merged. 15285 15286 15287 Note that for ParentRefs that cross namespace boundaries, there are specific 15288 rules. Cross-namespace references are only valid if they are explicitly 15289 allowed by something in the namespace they are referring to. For example, 15290 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 15291 generic way to enable other kinds of cross-namespace reference. 15292 15293 15294 15295 ParentRefs from a Route to a Service in the same namespace are "producer" 15296 routes, which apply default routing rules to inbound connections from 15297 any namespace to the Service. 15298 15299 15300 ParentRefs from a Route to a Service in a different namespace are 15301 "consumer" routes, and these routing rules are only applied to outbound 15302 connections originating from the same namespace as the Route, for which 15303 the intended destination of the connections are a Service targeted as a 15304 ParentRef of the Route. 15305 15306 15307 15308 15309 15310 15311 items: 15312 description: |- 15313 ParentReference identifies an API object (usually a Gateway) that can be considered 15314 a parent of this resource (usually a route). There are two kinds of parent resources 15315 with "Core" support: 15316 15317 15318 * Gateway (Gateway conformance profile) 15319 * Service (Mesh conformance profile, ClusterIP Services only) 15320 15321 15322 This API may be extended in the future to support additional kinds of parent 15323 resources. 15324 15325 15326 The API object must be valid in the cluster; the Group and Kind must 15327 be registered in the cluster for this reference to be valid. 15328 properties: 15329 group: 15330 default: gateway.networking.k8s.io 15331 description: |- 15332 Group is the group of the referent. 15333 When unspecified, "gateway.networking.k8s.io" is inferred. 15334 To set the core API group (such as for a "Service" kind referent), 15335 Group must be explicitly set to "" (empty string). 15336 15337 15338 Support: Core 15339 maxLength: 253 15340 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15341 type: string 15342 kind: 15343 default: Gateway 15344 description: |- 15345 Kind is kind of the referent. 15346 15347 15348 There are two kinds of parent resources with "Core" support: 15349 15350 15351 * Gateway (Gateway conformance profile) 15352 * Service (Mesh conformance profile, ClusterIP Services only) 15353 15354 15355 Support for other resources is Implementation-Specific. 15356 maxLength: 63 15357 minLength: 1 15358 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 15359 type: string 15360 name: 15361 description: |- 15362 Name is the name of the referent. 15363 15364 15365 Support: Core 15366 maxLength: 253 15367 minLength: 1 15368 type: string 15369 namespace: 15370 description: |- 15371 Namespace is the namespace of the referent. When unspecified, this refers 15372 to the local namespace of the Route. 15373 15374 15375 Note that there are specific rules for ParentRefs which cross namespace 15376 boundaries. Cross-namespace references are only valid if they are explicitly 15377 allowed by something in the namespace they are referring to. For example: 15378 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 15379 generic way to enable any other kind of cross-namespace reference. 15380 15381 15382 15383 ParentRefs from a Route to a Service in the same namespace are "producer" 15384 routes, which apply default routing rules to inbound connections from 15385 any namespace to the Service. 15386 15387 15388 ParentRefs from a Route to a Service in a different namespace are 15389 "consumer" routes, and these routing rules are only applied to outbound 15390 connections originating from the same namespace as the Route, for which 15391 the intended destination of the connections are a Service targeted as a 15392 ParentRef of the Route. 15393 15394 15395 15396 Support: Core 15397 maxLength: 63 15398 minLength: 1 15399 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 15400 type: string 15401 port: 15402 description: |- 15403 Port is the network port this Route targets. It can be interpreted 15404 differently based on the type of parent resource. 15405 15406 15407 When the parent resource is a Gateway, this targets all listeners 15408 listening on the specified port that also support this kind of Route(and 15409 select this Route). It's not recommended to set `Port` unless the 15410 networking behaviors specified in a Route must apply to a specific port 15411 as opposed to a listener(s) whose port(s) may be changed. When both Port 15412 and SectionName are specified, the name and port of the selected listener 15413 must match both specified values. 15414 15415 15416 15417 When the parent resource is a Service, this targets a specific port in the 15418 Service spec. When both Port (experimental) and SectionName are specified, 15419 the name and port of the selected port must match both specified values. 15420 15421 15422 15423 Implementations MAY choose to support other parent resources. 15424 Implementations supporting other types of parent resources MUST clearly 15425 document how/if Port is interpreted. 15426 15427 15428 For the purpose of status, an attachment is considered successful as 15429 long as the parent resource accepts it partially. For example, Gateway 15430 listeners can restrict which Routes can attach to them by Route kind, 15431 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 15432 from the referencing Route, the Route MUST be considered successfully 15433 attached. If no Gateway listeners accept attachment from this Route, 15434 the Route MUST be considered detached from the Gateway. 15435 15436 15437 Support: Extended 15438 format: int32 15439 maximum: 65535 15440 minimum: 1 15441 type: integer 15442 sectionName: 15443 description: |- 15444 SectionName is the name of a section within the target resource. In the 15445 following resources, SectionName is interpreted as the following: 15446 15447 15448 * Gateway: Listener name. When both Port (experimental) and SectionName 15449 are specified, the name and port of the selected listener must match 15450 both specified values. 15451 * Service: Port name. When both Port (experimental) and SectionName 15452 are specified, the name and port of the selected listener must match 15453 both specified values. 15454 15455 15456 Implementations MAY choose to support attaching Routes to other resources. 15457 If that is the case, they MUST clearly document how SectionName is 15458 interpreted. 15459 15460 15461 When unspecified (empty string), this will reference the entire resource. 15462 For the purpose of status, an attachment is considered successful if at 15463 least one section in the parent resource accepts it. For example, Gateway 15464 listeners can restrict which Routes can attach to them by Route kind, 15465 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 15466 the referencing Route, the Route MUST be considered successfully 15467 attached. If no Gateway listeners accept attachment from this Route, the 15468 Route MUST be considered detached from the Gateway. 15469 15470 15471 Support: Core 15472 maxLength: 253 15473 minLength: 1 15474 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15475 type: string 15476 required: 15477 - name 15478 type: object 15479 maxItems: 32 15480 type: array 15481 x-kubernetes-validations: 15482 - message: sectionName or port must be specified when parentRefs includes 15483 2 or more references to the same parent 15484 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 15485 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 15486 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 15487 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 15488 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 15489 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 15490 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 15491 || p2.port == 0)): true))' 15492 - message: sectionName or port must be unique when parentRefs includes 15493 2 or more references to the same parent 15494 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 15495 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 15496 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 15497 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 15498 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 15499 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 15500 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 15501 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 15502 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 15503 == p2.port)))) 15504 rules: 15505 description: Rules are a list of TCP matchers and actions. 15506 items: 15507 description: TCPRouteRule is the configuration for a given rule. 15508 properties: 15509 backendRefs: 15510 description: |- 15511 BackendRefs defines the backend(s) where matching requests should be 15512 sent. If unspecified or invalid (refers to a non-existent resource or a 15513 Service with no endpoints), the underlying implementation MUST actively 15514 reject connection attempts to this backend. Connection rejections must 15515 respect weight; if an invalid backend is requested to have 80% of 15516 connections, then 80% of connections must be rejected instead. 15517 15518 15519 Support: Core for Kubernetes Service 15520 15521 15522 Support: Extended for Kubernetes ServiceImport 15523 15524 15525 Support: Implementation-specific for any other resource 15526 15527 15528 Support for weight: Extended 15529 items: 15530 description: |- 15531 BackendRef defines how a Route should forward a request to a Kubernetes 15532 resource. 15533 15534 15535 Note that when a namespace different than the local namespace is specified, a 15536 ReferenceGrant object is required in the referent namespace to allow that 15537 namespace's owner to accept the reference. See the ReferenceGrant 15538 documentation for details. 15539 15540 15541 <gateway:experimental:description> 15542 15543 15544 When the BackendRef points to a Kubernetes Service, implementations SHOULD 15545 honor the appProtocol field if it is set for the target Service Port. 15546 15547 15548 Implementations supporting appProtocol SHOULD recognize the Kubernetes 15549 Standard Application Protocols defined in KEP-3726. 15550 15551 15552 If a Service appProtocol isn't specified, an implementation MAY infer the 15553 backend protocol through its own means. Implementations MAY infer the 15554 protocol from the Route type referring to the backend Service. 15555 15556 15557 If a Route is not able to send traffic to the backend using the specified 15558 protocol then the backend is considered invalid. Implementations MUST set the 15559 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 15560 15561 15562 </gateway:experimental:description> 15563 15564 15565 Note that when the BackendTLSPolicy object is enabled by the implementation, 15566 there are some extra rules about validity to consider here. See the fields 15567 where this struct is used for more information about the exact behavior. 15568 properties: 15569 group: 15570 default: "" 15571 description: |- 15572 Group is the group of the referent. For example, "gateway.networking.k8s.io". 15573 When unspecified or empty string, core API group is inferred. 15574 maxLength: 253 15575 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15576 type: string 15577 kind: 15578 default: Service 15579 description: |- 15580 Kind is the Kubernetes resource kind of the referent. For example 15581 "Service". 15582 15583 15584 Defaults to "Service" when not specified. 15585 15586 15587 ExternalName services can refer to CNAME DNS records that may live 15588 outside of the cluster and as such are difficult to reason about in 15589 terms of conformance. They also may not be safe to forward to (see 15590 CVE-2021-25740 for more information). Implementations SHOULD NOT 15591 support ExternalName Services. 15592 15593 15594 Support: Core (Services with a type other than ExternalName) 15595 15596 15597 Support: Implementation-specific (Services with type ExternalName) 15598 maxLength: 63 15599 minLength: 1 15600 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 15601 type: string 15602 name: 15603 description: Name is the name of the referent. 15604 maxLength: 253 15605 minLength: 1 15606 type: string 15607 namespace: 15608 description: |- 15609 Namespace is the namespace of the backend. When unspecified, the local 15610 namespace is inferred. 15611 15612 15613 Note that when a namespace different than the local namespace is specified, 15614 a ReferenceGrant object is required in the referent namespace to allow that 15615 namespace's owner to accept the reference. See the ReferenceGrant 15616 documentation for details. 15617 15618 15619 Support: Core 15620 maxLength: 63 15621 minLength: 1 15622 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 15623 type: string 15624 port: 15625 description: |- 15626 Port specifies the destination port number to use for this resource. 15627 Port is required when the referent is a Kubernetes Service. In this 15628 case, the port number is the service port number, not the target port. 15629 For other resources, destination port might be derived from the referent 15630 resource or this field. 15631 format: int32 15632 maximum: 65535 15633 minimum: 1 15634 type: integer 15635 weight: 15636 default: 1 15637 description: |- 15638 Weight specifies the proportion of requests forwarded to the referenced 15639 backend. This is computed as weight/(sum of all weights in this 15640 BackendRefs list). For non-zero values, there may be some epsilon from 15641 the exact proportion defined here depending on the precision an 15642 implementation supports. Weight is not a percentage and the sum of 15643 weights does not need to equal 100. 15644 15645 15646 If only one backend is specified and it has a weight greater than 0, 100% 15647 of the traffic is forwarded to that backend. If weight is set to 0, no 15648 traffic should be forwarded for this entry. If unspecified, weight 15649 defaults to 1. 15650 15651 15652 Support for this field varies based on the context where used. 15653 format: int32 15654 maximum: 1000000 15655 minimum: 0 15656 type: integer 15657 required: 15658 - name 15659 type: object 15660 x-kubernetes-validations: 15661 - message: Must have port for Service reference 15662 rule: '(size(self.group) == 0 && self.kind == ''Service'') 15663 ? has(self.port) : true' 15664 maxItems: 16 15665 minItems: 1 15666 type: array 15667 type: object 15668 maxItems: 16 15669 minItems: 1 15670 type: array 15671 required: 15672 - rules 15673 type: object 15674 status: 15675 description: Status defines the current state of TCPRoute. 15676 properties: 15677 parents: 15678 description: |- 15679 Parents is a list of parent resources (usually Gateways) that are 15680 associated with the route, and the status of the route with respect to 15681 each parent. When this route attaches to a parent, the controller that 15682 manages the parent must add an entry to this list when the controller 15683 first sees the route and should update the entry as appropriate when the 15684 route or gateway is modified. 15685 15686 15687 Note that parent references that cannot be resolved by an implementation 15688 of this API will not be added to this list. Implementations of this API 15689 can only populate Route status for the Gateways/parent resources they are 15690 responsible for. 15691 15692 15693 A maximum of 32 Gateways will be represented in this list. An empty list 15694 means the route has not been attached to any Gateway. 15695 items: 15696 description: |- 15697 RouteParentStatus describes the status of a route with respect to an 15698 associated Parent. 15699 properties: 15700 conditions: 15701 description: |- 15702 Conditions describes the status of the route with respect to the Gateway. 15703 Note that the route's availability is also subject to the Gateway's own 15704 status conditions and listener status. 15705 15706 15707 If the Route's ParentRef specifies an existing Gateway that supports 15708 Routes of this kind AND that Gateway's controller has sufficient access, 15709 then that Gateway's controller MUST set the "Accepted" condition on the 15710 Route, to indicate whether the route has been accepted or rejected by the 15711 Gateway, and why. 15712 15713 15714 A Route MUST be considered "Accepted" if at least one of the Route's 15715 rules is implemented by the Gateway. 15716 15717 15718 There are a number of cases where the "Accepted" condition may not be set 15719 due to lack of controller visibility, that includes when: 15720 15721 15722 * The Route refers to a non-existent parent. 15723 * The Route is of a type that the controller does not support. 15724 * The Route is in a namespace the controller does not have access to. 15725 items: 15726 description: "Condition contains details for one aspect of 15727 the current state of this API Resource.\n---\nThis struct 15728 is intended for direct use as an array at the field path 15729 .status.conditions. For example,\n\n\n\ttype FooStatus 15730 struct{\n\t // Represents the observations of a foo's 15731 current state.\n\t // Known .status.conditions.type are: 15732 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 15733 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 15734 +listType=map\n\t // +listMapKey=type\n\t Conditions 15735 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 15736 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 15737 \ // other fields\n\t}" 15738 properties: 15739 lastTransitionTime: 15740 description: |- 15741 lastTransitionTime is the last time the condition transitioned from one status to another. 15742 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 15743 format: date-time 15744 type: string 15745 message: 15746 description: |- 15747 message is a human readable message indicating details about the transition. 15748 This may be an empty string. 15749 maxLength: 32768 15750 type: string 15751 observedGeneration: 15752 description: |- 15753 observedGeneration represents the .metadata.generation that the condition was set based upon. 15754 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 15755 with respect to the current state of the instance. 15756 format: int64 15757 minimum: 0 15758 type: integer 15759 reason: 15760 description: |- 15761 reason contains a programmatic identifier indicating the reason for the condition's last transition. 15762 Producers of specific condition types may define expected values and meanings for this field, 15763 and whether the values are considered a guaranteed API. 15764 The value should be a CamelCase string. 15765 This field may not be empty. 15766 maxLength: 1024 15767 minLength: 1 15768 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 15769 type: string 15770 status: 15771 description: status of the condition, one of True, False, 15772 Unknown. 15773 enum: 15774 - "True" 15775 - "False" 15776 - Unknown 15777 type: string 15778 type: 15779 description: |- 15780 type of condition in CamelCase or in foo.example.com/CamelCase. 15781 --- 15782 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 15783 useful (see .node.status.conditions), the ability to deconflict is important. 15784 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 15785 maxLength: 316 15786 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 15787 type: string 15788 required: 15789 - lastTransitionTime 15790 - message 15791 - reason 15792 - status 15793 - type 15794 type: object 15795 maxItems: 8 15796 minItems: 1 15797 type: array 15798 x-kubernetes-list-map-keys: 15799 - type 15800 x-kubernetes-list-type: map 15801 controllerName: 15802 description: |- 15803 ControllerName is a domain/path string that indicates the name of the 15804 controller that wrote this status. This corresponds with the 15805 controllerName field on GatewayClass. 15806 15807 15808 Example: "example.net/gateway-controller". 15809 15810 15811 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 15812 valid Kubernetes names 15813 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 15814 15815 15816 Controllers MUST populate this field when writing status. Controllers should ensure that 15817 entries to status populated with their ControllerName are cleaned up when they are no 15818 longer necessary. 15819 maxLength: 253 15820 minLength: 1 15821 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 15822 type: string 15823 parentRef: 15824 description: |- 15825 ParentRef corresponds with a ParentRef in the spec that this 15826 RouteParentStatus struct describes the status of. 15827 properties: 15828 group: 15829 default: gateway.networking.k8s.io 15830 description: |- 15831 Group is the group of the referent. 15832 When unspecified, "gateway.networking.k8s.io" is inferred. 15833 To set the core API group (such as for a "Service" kind referent), 15834 Group must be explicitly set to "" (empty string). 15835 15836 15837 Support: Core 15838 maxLength: 253 15839 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15840 type: string 15841 kind: 15842 default: Gateway 15843 description: |- 15844 Kind is kind of the referent. 15845 15846 15847 There are two kinds of parent resources with "Core" support: 15848 15849 15850 * Gateway (Gateway conformance profile) 15851 * Service (Mesh conformance profile, ClusterIP Services only) 15852 15853 15854 Support for other resources is Implementation-Specific. 15855 maxLength: 63 15856 minLength: 1 15857 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 15858 type: string 15859 name: 15860 description: |- 15861 Name is the name of the referent. 15862 15863 15864 Support: Core 15865 maxLength: 253 15866 minLength: 1 15867 type: string 15868 namespace: 15869 description: |- 15870 Namespace is the namespace of the referent. When unspecified, this refers 15871 to the local namespace of the Route. 15872 15873 15874 Note that there are specific rules for ParentRefs which cross namespace 15875 boundaries. Cross-namespace references are only valid if they are explicitly 15876 allowed by something in the namespace they are referring to. For example: 15877 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 15878 generic way to enable any other kind of cross-namespace reference. 15879 15880 15881 15882 ParentRefs from a Route to a Service in the same namespace are "producer" 15883 routes, which apply default routing rules to inbound connections from 15884 any namespace to the Service. 15885 15886 15887 ParentRefs from a Route to a Service in a different namespace are 15888 "consumer" routes, and these routing rules are only applied to outbound 15889 connections originating from the same namespace as the Route, for which 15890 the intended destination of the connections are a Service targeted as a 15891 ParentRef of the Route. 15892 15893 15894 15895 Support: Core 15896 maxLength: 63 15897 minLength: 1 15898 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 15899 type: string 15900 port: 15901 description: |- 15902 Port is the network port this Route targets. It can be interpreted 15903 differently based on the type of parent resource. 15904 15905 15906 When the parent resource is a Gateway, this targets all listeners 15907 listening on the specified port that also support this kind of Route(and 15908 select this Route). It's not recommended to set `Port` unless the 15909 networking behaviors specified in a Route must apply to a specific port 15910 as opposed to a listener(s) whose port(s) may be changed. When both Port 15911 and SectionName are specified, the name and port of the selected listener 15912 must match both specified values. 15913 15914 15915 15916 When the parent resource is a Service, this targets a specific port in the 15917 Service spec. When both Port (experimental) and SectionName are specified, 15918 the name and port of the selected port must match both specified values. 15919 15920 15921 15922 Implementations MAY choose to support other parent resources. 15923 Implementations supporting other types of parent resources MUST clearly 15924 document how/if Port is interpreted. 15925 15926 15927 For the purpose of status, an attachment is considered successful as 15928 long as the parent resource accepts it partially. For example, Gateway 15929 listeners can restrict which Routes can attach to them by Route kind, 15930 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 15931 from the referencing Route, the Route MUST be considered successfully 15932 attached. If no Gateway listeners accept attachment from this Route, 15933 the Route MUST be considered detached from the Gateway. 15934 15935 15936 Support: Extended 15937 format: int32 15938 maximum: 65535 15939 minimum: 1 15940 type: integer 15941 sectionName: 15942 description: |- 15943 SectionName is the name of a section within the target resource. In the 15944 following resources, SectionName is interpreted as the following: 15945 15946 15947 * Gateway: Listener name. When both Port (experimental) and SectionName 15948 are specified, the name and port of the selected listener must match 15949 both specified values. 15950 * Service: Port name. When both Port (experimental) and SectionName 15951 are specified, the name and port of the selected listener must match 15952 both specified values. 15953 15954 15955 Implementations MAY choose to support attaching Routes to other resources. 15956 If that is the case, they MUST clearly document how SectionName is 15957 interpreted. 15958 15959 15960 When unspecified (empty string), this will reference the entire resource. 15961 For the purpose of status, an attachment is considered successful if at 15962 least one section in the parent resource accepts it. For example, Gateway 15963 listeners can restrict which Routes can attach to them by Route kind, 15964 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 15965 the referencing Route, the Route MUST be considered successfully 15966 attached. If no Gateway listeners accept attachment from this Route, the 15967 Route MUST be considered detached from the Gateway. 15968 15969 15970 Support: Core 15971 maxLength: 253 15972 minLength: 1 15973 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 15974 type: string 15975 required: 15976 - name 15977 type: object 15978 required: 15979 - controllerName 15980 - parentRef 15981 type: object 15982 maxItems: 32 15983 type: array 15984 required: 15985 - parents 15986 type: object 15987 required: 15988 - spec 15989 type: object 15990 served: true 15991 storage: true 15992 subresources: 15993 status: {} 15994 status: 15995 acceptedNames: 15996 kind: "" 15997 plural: "" 15998 conditions: null 15999 storedVersions: null 16000 --- 16001 apiVersion: apiextensions.k8s.io/v1 16002 kind: CustomResourceDefinition 16003 metadata: 16004 annotations: 16005 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 16006 gateway.networking.k8s.io/bundle-version: v1.1.0 16007 gateway.networking.k8s.io/channel: experimental 16008 creationTimestamp: null 16009 name: tlsroutes.gateway.networking.k8s.io 16010 spec: 16011 group: gateway.networking.k8s.io 16012 names: 16013 categories: 16014 - gateway-api 16015 kind: TLSRoute 16016 listKind: TLSRouteList 16017 plural: tlsroutes 16018 singular: tlsroute 16019 scope: Namespaced 16020 versions: 16021 - additionalPrinterColumns: 16022 - jsonPath: .metadata.creationTimestamp 16023 name: Age 16024 type: date 16025 name: v1alpha2 16026 schema: 16027 openAPIV3Schema: 16028 description: |- 16029 The TLSRoute resource is similar to TCPRoute, but can be configured 16030 to match against TLS-specific metadata. This allows more flexibility 16031 in matching streams for a given TLS listener. 16032 16033 16034 If you need to forward traffic to a single target for a TLS listener, you 16035 could choose to use a TCPRoute with a TLS listener. 16036 properties: 16037 apiVersion: 16038 description: |- 16039 APIVersion defines the versioned schema of this representation of an object. 16040 Servers should convert recognized schemas to the latest internal value, and 16041 may reject unrecognized values. 16042 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 16043 type: string 16044 kind: 16045 description: |- 16046 Kind is a string value representing the REST resource this object represents. 16047 Servers may infer this from the endpoint the client submits requests to. 16048 Cannot be updated. 16049 In CamelCase. 16050 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 16051 type: string 16052 metadata: 16053 type: object 16054 spec: 16055 description: Spec defines the desired state of TLSRoute. 16056 properties: 16057 hostnames: 16058 description: |- 16059 Hostnames defines a set of SNI names that should match against the 16060 SNI attribute of TLS ClientHello message in TLS handshake. This matches 16061 the RFC 1123 definition of a hostname with 2 notable exceptions: 16062 16063 16064 1. IPs are not allowed in SNI names per RFC 6066. 16065 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 16066 label must appear by itself as the first label. 16067 16068 16069 If a hostname is specified by both the Listener and TLSRoute, there 16070 must be at least one intersecting hostname for the TLSRoute to be 16071 attached to the Listener. For example: 16072 16073 16074 * A Listener with `test.example.com` as the hostname matches TLSRoutes 16075 that have either not specified any hostnames, or have specified at 16076 least one of `test.example.com` or `*.example.com`. 16077 * A Listener with `*.example.com` as the hostname matches TLSRoutes 16078 that have either not specified any hostnames or have specified at least 16079 one hostname that matches the Listener hostname. For example, 16080 `test.example.com` and `*.example.com` would both match. On the other 16081 hand, `example.com` and `test.example.net` would not match. 16082 16083 16084 If both the Listener and TLSRoute have specified hostnames, any 16085 TLSRoute hostnames that do not match the Listener hostname MUST be 16086 ignored. For example, if a Listener specified `*.example.com`, and the 16087 TLSRoute specified `test.example.com` and `test.example.net`, 16088 `test.example.net` must not be considered for a match. 16089 16090 16091 If both the Listener and TLSRoute have specified hostnames, and none 16092 match with the criteria above, then the TLSRoute is not accepted. The 16093 implementation must raise an 'Accepted' Condition with a status of 16094 `False` in the corresponding RouteParentStatus. 16095 16096 16097 Support: Core 16098 items: 16099 description: |- 16100 Hostname is the fully qualified domain name of a network host. This matches 16101 the RFC 1123 definition of a hostname with 2 notable exceptions: 16102 16103 16104 1. IPs are not allowed. 16105 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 16106 label must appear by itself as the first label. 16107 16108 16109 Hostname can be "precise" which is a domain name without the terminating 16110 dot of a network host (e.g. "foo.example.com") or "wildcard", which is a 16111 domain name prefixed with a single wildcard label (e.g. `*.example.com`). 16112 16113 16114 Note that as per RFC1035 and RFC1123, a *label* must consist of lower case 16115 alphanumeric characters or '-', and must start and end with an alphanumeric 16116 character. No other punctuation is allowed. 16117 maxLength: 253 16118 minLength: 1 16119 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 16120 type: string 16121 maxItems: 16 16122 type: array 16123 parentRefs: 16124 description: |+ 16125 ParentRefs references the resources (usually Gateways) that a Route wants 16126 to be attached to. Note that the referenced parent resource needs to 16127 allow this for the attachment to be complete. For Gateways, that means 16128 the Gateway needs to allow attachment from Routes of this kind and 16129 namespace. For Services, that means the Service must either be in the same 16130 namespace for a "producer" route, or the mesh implementation must support 16131 and allow "consumer" routes for the referenced Service. ReferenceGrant is 16132 not applicable for governing ParentRefs to Services - it is not possible to 16133 create a "producer" route for a Service in a different namespace from the 16134 Route. 16135 16136 16137 There are two kinds of parent resources with "Core" support: 16138 16139 16140 * Gateway (Gateway conformance profile) 16141 * Service (Mesh conformance profile, ClusterIP Services only) 16142 16143 16144 This API may be extended in the future to support additional kinds of parent 16145 resources. 16146 16147 16148 ParentRefs must be _distinct_. This means either that: 16149 16150 16151 * They select different objects. If this is the case, then parentRef 16152 entries are distinct. In terms of fields, this means that the 16153 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 16154 be unique across all parentRef entries in the Route. 16155 * They do not select different objects, but for each optional field used, 16156 each ParentRef that selects the same object must set the same set of 16157 optional fields to different values. If one ParentRef sets a 16158 combination of optional fields, all must set the same combination. 16159 16160 16161 Some examples: 16162 16163 16164 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 16165 same object must also set `sectionName`. 16166 * If one ParentRef sets `port`, all ParentRefs referencing the same 16167 object must also set `port`. 16168 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 16169 referencing the same object must also set `sectionName` and `port`. 16170 16171 16172 It is possible to separately reference multiple distinct objects that may 16173 be collapsed by an implementation. For example, some implementations may 16174 choose to merge compatible Gateway Listeners together. If that is the 16175 case, the list of routes attached to those resources should also be 16176 merged. 16177 16178 16179 Note that for ParentRefs that cross namespace boundaries, there are specific 16180 rules. Cross-namespace references are only valid if they are explicitly 16181 allowed by something in the namespace they are referring to. For example, 16182 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 16183 generic way to enable other kinds of cross-namespace reference. 16184 16185 16186 16187 ParentRefs from a Route to a Service in the same namespace are "producer" 16188 routes, which apply default routing rules to inbound connections from 16189 any namespace to the Service. 16190 16191 16192 ParentRefs from a Route to a Service in a different namespace are 16193 "consumer" routes, and these routing rules are only applied to outbound 16194 connections originating from the same namespace as the Route, for which 16195 the intended destination of the connections are a Service targeted as a 16196 ParentRef of the Route. 16197 16198 16199 16200 16201 16202 16203 items: 16204 description: |- 16205 ParentReference identifies an API object (usually a Gateway) that can be considered 16206 a parent of this resource (usually a route). There are two kinds of parent resources 16207 with "Core" support: 16208 16209 16210 * Gateway (Gateway conformance profile) 16211 * Service (Mesh conformance profile, ClusterIP Services only) 16212 16213 16214 This API may be extended in the future to support additional kinds of parent 16215 resources. 16216 16217 16218 The API object must be valid in the cluster; the Group and Kind must 16219 be registered in the cluster for this reference to be valid. 16220 properties: 16221 group: 16222 default: gateway.networking.k8s.io 16223 description: |- 16224 Group is the group of the referent. 16225 When unspecified, "gateway.networking.k8s.io" is inferred. 16226 To set the core API group (such as for a "Service" kind referent), 16227 Group must be explicitly set to "" (empty string). 16228 16229 16230 Support: Core 16231 maxLength: 253 16232 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 16233 type: string 16234 kind: 16235 default: Gateway 16236 description: |- 16237 Kind is kind of the referent. 16238 16239 16240 There are two kinds of parent resources with "Core" support: 16241 16242 16243 * Gateway (Gateway conformance profile) 16244 * Service (Mesh conformance profile, ClusterIP Services only) 16245 16246 16247 Support for other resources is Implementation-Specific. 16248 maxLength: 63 16249 minLength: 1 16250 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 16251 type: string 16252 name: 16253 description: |- 16254 Name is the name of the referent. 16255 16256 16257 Support: Core 16258 maxLength: 253 16259 minLength: 1 16260 type: string 16261 namespace: 16262 description: |- 16263 Namespace is the namespace of the referent. When unspecified, this refers 16264 to the local namespace of the Route. 16265 16266 16267 Note that there are specific rules for ParentRefs which cross namespace 16268 boundaries. Cross-namespace references are only valid if they are explicitly 16269 allowed by something in the namespace they are referring to. For example: 16270 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 16271 generic way to enable any other kind of cross-namespace reference. 16272 16273 16274 16275 ParentRefs from a Route to a Service in the same namespace are "producer" 16276 routes, which apply default routing rules to inbound connections from 16277 any namespace to the Service. 16278 16279 16280 ParentRefs from a Route to a Service in a different namespace are 16281 "consumer" routes, and these routing rules are only applied to outbound 16282 connections originating from the same namespace as the Route, for which 16283 the intended destination of the connections are a Service targeted as a 16284 ParentRef of the Route. 16285 16286 16287 16288 Support: Core 16289 maxLength: 63 16290 minLength: 1 16291 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 16292 type: string 16293 port: 16294 description: |- 16295 Port is the network port this Route targets. It can be interpreted 16296 differently based on the type of parent resource. 16297 16298 16299 When the parent resource is a Gateway, this targets all listeners 16300 listening on the specified port that also support this kind of Route(and 16301 select this Route). It's not recommended to set `Port` unless the 16302 networking behaviors specified in a Route must apply to a specific port 16303 as opposed to a listener(s) whose port(s) may be changed. When both Port 16304 and SectionName are specified, the name and port of the selected listener 16305 must match both specified values. 16306 16307 16308 16309 When the parent resource is a Service, this targets a specific port in the 16310 Service spec. When both Port (experimental) and SectionName are specified, 16311 the name and port of the selected port must match both specified values. 16312 16313 16314 16315 Implementations MAY choose to support other parent resources. 16316 Implementations supporting other types of parent resources MUST clearly 16317 document how/if Port is interpreted. 16318 16319 16320 For the purpose of status, an attachment is considered successful as 16321 long as the parent resource accepts it partially. For example, Gateway 16322 listeners can restrict which Routes can attach to them by Route kind, 16323 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 16324 from the referencing Route, the Route MUST be considered successfully 16325 attached. If no Gateway listeners accept attachment from this Route, 16326 the Route MUST be considered detached from the Gateway. 16327 16328 16329 Support: Extended 16330 format: int32 16331 maximum: 65535 16332 minimum: 1 16333 type: integer 16334 sectionName: 16335 description: |- 16336 SectionName is the name of a section within the target resource. In the 16337 following resources, SectionName is interpreted as the following: 16338 16339 16340 * Gateway: Listener name. When both Port (experimental) and SectionName 16341 are specified, the name and port of the selected listener must match 16342 both specified values. 16343 * Service: Port name. When both Port (experimental) and SectionName 16344 are specified, the name and port of the selected listener must match 16345 both specified values. 16346 16347 16348 Implementations MAY choose to support attaching Routes to other resources. 16349 If that is the case, they MUST clearly document how SectionName is 16350 interpreted. 16351 16352 16353 When unspecified (empty string), this will reference the entire resource. 16354 For the purpose of status, an attachment is considered successful if at 16355 least one section in the parent resource accepts it. For example, Gateway 16356 listeners can restrict which Routes can attach to them by Route kind, 16357 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 16358 the referencing Route, the Route MUST be considered successfully 16359 attached. If no Gateway listeners accept attachment from this Route, the 16360 Route MUST be considered detached from the Gateway. 16361 16362 16363 Support: Core 16364 maxLength: 253 16365 minLength: 1 16366 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 16367 type: string 16368 required: 16369 - name 16370 type: object 16371 maxItems: 32 16372 type: array 16373 x-kubernetes-validations: 16374 - message: sectionName or port must be specified when parentRefs includes 16375 2 or more references to the same parent 16376 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 16377 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 16378 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 16379 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 16380 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 16381 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 16382 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 16383 || p2.port == 0)): true))' 16384 - message: sectionName or port must be unique when parentRefs includes 16385 2 or more references to the same parent 16386 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 16387 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 16388 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 16389 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 16390 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 16391 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 16392 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 16393 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 16394 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 16395 == p2.port)))) 16396 rules: 16397 description: Rules are a list of TLS matchers and actions. 16398 items: 16399 description: TLSRouteRule is the configuration for a given rule. 16400 properties: 16401 backendRefs: 16402 description: |- 16403 BackendRefs defines the backend(s) where matching requests should be 16404 sent. If unspecified or invalid (refers to a non-existent resource or 16405 a Service with no endpoints), the rule performs no forwarding; if no 16406 filters are specified that would result in a response being sent, the 16407 underlying implementation must actively reject request attempts to this 16408 backend, by rejecting the connection or returning a 500 status code. 16409 Request rejections must respect weight; if an invalid backend is 16410 requested to have 80% of requests, then 80% of requests must be rejected 16411 instead. 16412 16413 16414 Support: Core for Kubernetes Service 16415 16416 16417 Support: Extended for Kubernetes ServiceImport 16418 16419 16420 Support: Implementation-specific for any other resource 16421 16422 16423 Support for weight: Extended 16424 items: 16425 description: |- 16426 BackendRef defines how a Route should forward a request to a Kubernetes 16427 resource. 16428 16429 16430 Note that when a namespace different than the local namespace is specified, a 16431 ReferenceGrant object is required in the referent namespace to allow that 16432 namespace's owner to accept the reference. See the ReferenceGrant 16433 documentation for details. 16434 16435 16436 <gateway:experimental:description> 16437 16438 16439 When the BackendRef points to a Kubernetes Service, implementations SHOULD 16440 honor the appProtocol field if it is set for the target Service Port. 16441 16442 16443 Implementations supporting appProtocol SHOULD recognize the Kubernetes 16444 Standard Application Protocols defined in KEP-3726. 16445 16446 16447 If a Service appProtocol isn't specified, an implementation MAY infer the 16448 backend protocol through its own means. Implementations MAY infer the 16449 protocol from the Route type referring to the backend Service. 16450 16451 16452 If a Route is not able to send traffic to the backend using the specified 16453 protocol then the backend is considered invalid. Implementations MUST set the 16454 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 16455 16456 16457 </gateway:experimental:description> 16458 16459 16460 Note that when the BackendTLSPolicy object is enabled by the implementation, 16461 there are some extra rules about validity to consider here. See the fields 16462 where this struct is used for more information about the exact behavior. 16463 properties: 16464 group: 16465 default: "" 16466 description: |- 16467 Group is the group of the referent. For example, "gateway.networking.k8s.io". 16468 When unspecified or empty string, core API group is inferred. 16469 maxLength: 253 16470 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 16471 type: string 16472 kind: 16473 default: Service 16474 description: |- 16475 Kind is the Kubernetes resource kind of the referent. For example 16476 "Service". 16477 16478 16479 Defaults to "Service" when not specified. 16480 16481 16482 ExternalName services can refer to CNAME DNS records that may live 16483 outside of the cluster and as such are difficult to reason about in 16484 terms of conformance. They also may not be safe to forward to (see 16485 CVE-2021-25740 for more information). Implementations SHOULD NOT 16486 support ExternalName Services. 16487 16488 16489 Support: Core (Services with a type other than ExternalName) 16490 16491 16492 Support: Implementation-specific (Services with type ExternalName) 16493 maxLength: 63 16494 minLength: 1 16495 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 16496 type: string 16497 name: 16498 description: Name is the name of the referent. 16499 maxLength: 253 16500 minLength: 1 16501 type: string 16502 namespace: 16503 description: |- 16504 Namespace is the namespace of the backend. When unspecified, the local 16505 namespace is inferred. 16506 16507 16508 Note that when a namespace different than the local namespace is specified, 16509 a ReferenceGrant object is required in the referent namespace to allow that 16510 namespace's owner to accept the reference. See the ReferenceGrant 16511 documentation for details. 16512 16513 16514 Support: Core 16515 maxLength: 63 16516 minLength: 1 16517 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 16518 type: string 16519 port: 16520 description: |- 16521 Port specifies the destination port number to use for this resource. 16522 Port is required when the referent is a Kubernetes Service. In this 16523 case, the port number is the service port number, not the target port. 16524 For other resources, destination port might be derived from the referent 16525 resource or this field. 16526 format: int32 16527 maximum: 65535 16528 minimum: 1 16529 type: integer 16530 weight: 16531 default: 1 16532 description: |- 16533 Weight specifies the proportion of requests forwarded to the referenced 16534 backend. This is computed as weight/(sum of all weights in this 16535 BackendRefs list). For non-zero values, there may be some epsilon from 16536 the exact proportion defined here depending on the precision an 16537 implementation supports. Weight is not a percentage and the sum of 16538 weights does not need to equal 100. 16539 16540 16541 If only one backend is specified and it has a weight greater than 0, 100% 16542 of the traffic is forwarded to that backend. If weight is set to 0, no 16543 traffic should be forwarded for this entry. If unspecified, weight 16544 defaults to 1. 16545 16546 16547 Support for this field varies based on the context where used. 16548 format: int32 16549 maximum: 1000000 16550 minimum: 0 16551 type: integer 16552 required: 16553 - name 16554 type: object 16555 x-kubernetes-validations: 16556 - message: Must have port for Service reference 16557 rule: '(size(self.group) == 0 && self.kind == ''Service'') 16558 ? has(self.port) : true' 16559 maxItems: 16 16560 minItems: 1 16561 type: array 16562 type: object 16563 maxItems: 16 16564 minItems: 1 16565 type: array 16566 required: 16567 - rules 16568 type: object 16569 status: 16570 description: Status defines the current state of TLSRoute. 16571 properties: 16572 parents: 16573 description: |- 16574 Parents is a list of parent resources (usually Gateways) that are 16575 associated with the route, and the status of the route with respect to 16576 each parent. When this route attaches to a parent, the controller that 16577 manages the parent must add an entry to this list when the controller 16578 first sees the route and should update the entry as appropriate when the 16579 route or gateway is modified. 16580 16581 16582 Note that parent references that cannot be resolved by an implementation 16583 of this API will not be added to this list. Implementations of this API 16584 can only populate Route status for the Gateways/parent resources they are 16585 responsible for. 16586 16587 16588 A maximum of 32 Gateways will be represented in this list. An empty list 16589 means the route has not been attached to any Gateway. 16590 items: 16591 description: |- 16592 RouteParentStatus describes the status of a route with respect to an 16593 associated Parent. 16594 properties: 16595 conditions: 16596 description: |- 16597 Conditions describes the status of the route with respect to the Gateway. 16598 Note that the route's availability is also subject to the Gateway's own 16599 status conditions and listener status. 16600 16601 16602 If the Route's ParentRef specifies an existing Gateway that supports 16603 Routes of this kind AND that Gateway's controller has sufficient access, 16604 then that Gateway's controller MUST set the "Accepted" condition on the 16605 Route, to indicate whether the route has been accepted or rejected by the 16606 Gateway, and why. 16607 16608 16609 A Route MUST be considered "Accepted" if at least one of the Route's 16610 rules is implemented by the Gateway. 16611 16612 16613 There are a number of cases where the "Accepted" condition may not be set 16614 due to lack of controller visibility, that includes when: 16615 16616 16617 * The Route refers to a non-existent parent. 16618 * The Route is of a type that the controller does not support. 16619 * The Route is in a namespace the controller does not have access to. 16620 items: 16621 description: "Condition contains details for one aspect of 16622 the current state of this API Resource.\n---\nThis struct 16623 is intended for direct use as an array at the field path 16624 .status.conditions. For example,\n\n\n\ttype FooStatus 16625 struct{\n\t // Represents the observations of a foo's 16626 current state.\n\t // Known .status.conditions.type are: 16627 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 16628 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 16629 +listType=map\n\t // +listMapKey=type\n\t Conditions 16630 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 16631 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 16632 \ // other fields\n\t}" 16633 properties: 16634 lastTransitionTime: 16635 description: |- 16636 lastTransitionTime is the last time the condition transitioned from one status to another. 16637 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 16638 format: date-time 16639 type: string 16640 message: 16641 description: |- 16642 message is a human readable message indicating details about the transition. 16643 This may be an empty string. 16644 maxLength: 32768 16645 type: string 16646 observedGeneration: 16647 description: |- 16648 observedGeneration represents the .metadata.generation that the condition was set based upon. 16649 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 16650 with respect to the current state of the instance. 16651 format: int64 16652 minimum: 0 16653 type: integer 16654 reason: 16655 description: |- 16656 reason contains a programmatic identifier indicating the reason for the condition's last transition. 16657 Producers of specific condition types may define expected values and meanings for this field, 16658 and whether the values are considered a guaranteed API. 16659 The value should be a CamelCase string. 16660 This field may not be empty. 16661 maxLength: 1024 16662 minLength: 1 16663 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 16664 type: string 16665 status: 16666 description: status of the condition, one of True, False, 16667 Unknown. 16668 enum: 16669 - "True" 16670 - "False" 16671 - Unknown 16672 type: string 16673 type: 16674 description: |- 16675 type of condition in CamelCase or in foo.example.com/CamelCase. 16676 --- 16677 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 16678 useful (see .node.status.conditions), the ability to deconflict is important. 16679 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 16680 maxLength: 316 16681 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 16682 type: string 16683 required: 16684 - lastTransitionTime 16685 - message 16686 - reason 16687 - status 16688 - type 16689 type: object 16690 maxItems: 8 16691 minItems: 1 16692 type: array 16693 x-kubernetes-list-map-keys: 16694 - type 16695 x-kubernetes-list-type: map 16696 controllerName: 16697 description: |- 16698 ControllerName is a domain/path string that indicates the name of the 16699 controller that wrote this status. This corresponds with the 16700 controllerName field on GatewayClass. 16701 16702 16703 Example: "example.net/gateway-controller". 16704 16705 16706 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 16707 valid Kubernetes names 16708 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 16709 16710 16711 Controllers MUST populate this field when writing status. Controllers should ensure that 16712 entries to status populated with their ControllerName are cleaned up when they are no 16713 longer necessary. 16714 maxLength: 253 16715 minLength: 1 16716 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 16717 type: string 16718 parentRef: 16719 description: |- 16720 ParentRef corresponds with a ParentRef in the spec that this 16721 RouteParentStatus struct describes the status of. 16722 properties: 16723 group: 16724 default: gateway.networking.k8s.io 16725 description: |- 16726 Group is the group of the referent. 16727 When unspecified, "gateway.networking.k8s.io" is inferred. 16728 To set the core API group (such as for a "Service" kind referent), 16729 Group must be explicitly set to "" (empty string). 16730 16731 16732 Support: Core 16733 maxLength: 253 16734 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 16735 type: string 16736 kind: 16737 default: Gateway 16738 description: |- 16739 Kind is kind of the referent. 16740 16741 16742 There are two kinds of parent resources with "Core" support: 16743 16744 16745 * Gateway (Gateway conformance profile) 16746 * Service (Mesh conformance profile, ClusterIP Services only) 16747 16748 16749 Support for other resources is Implementation-Specific. 16750 maxLength: 63 16751 minLength: 1 16752 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 16753 type: string 16754 name: 16755 description: |- 16756 Name is the name of the referent. 16757 16758 16759 Support: Core 16760 maxLength: 253 16761 minLength: 1 16762 type: string 16763 namespace: 16764 description: |- 16765 Namespace is the namespace of the referent. When unspecified, this refers 16766 to the local namespace of the Route. 16767 16768 16769 Note that there are specific rules for ParentRefs which cross namespace 16770 boundaries. Cross-namespace references are only valid if they are explicitly 16771 allowed by something in the namespace they are referring to. For example: 16772 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 16773 generic way to enable any other kind of cross-namespace reference. 16774 16775 16776 16777 ParentRefs from a Route to a Service in the same namespace are "producer" 16778 routes, which apply default routing rules to inbound connections from 16779 any namespace to the Service. 16780 16781 16782 ParentRefs from a Route to a Service in a different namespace are 16783 "consumer" routes, and these routing rules are only applied to outbound 16784 connections originating from the same namespace as the Route, for which 16785 the intended destination of the connections are a Service targeted as a 16786 ParentRef of the Route. 16787 16788 16789 16790 Support: Core 16791 maxLength: 63 16792 minLength: 1 16793 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 16794 type: string 16795 port: 16796 description: |- 16797 Port is the network port this Route targets. It can be interpreted 16798 differently based on the type of parent resource. 16799 16800 16801 When the parent resource is a Gateway, this targets all listeners 16802 listening on the specified port that also support this kind of Route(and 16803 select this Route). It's not recommended to set `Port` unless the 16804 networking behaviors specified in a Route must apply to a specific port 16805 as opposed to a listener(s) whose port(s) may be changed. When both Port 16806 and SectionName are specified, the name and port of the selected listener 16807 must match both specified values. 16808 16809 16810 16811 When the parent resource is a Service, this targets a specific port in the 16812 Service spec. When both Port (experimental) and SectionName are specified, 16813 the name and port of the selected port must match both specified values. 16814 16815 16816 16817 Implementations MAY choose to support other parent resources. 16818 Implementations supporting other types of parent resources MUST clearly 16819 document how/if Port is interpreted. 16820 16821 16822 For the purpose of status, an attachment is considered successful as 16823 long as the parent resource accepts it partially. For example, Gateway 16824 listeners can restrict which Routes can attach to them by Route kind, 16825 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 16826 from the referencing Route, the Route MUST be considered successfully 16827 attached. If no Gateway listeners accept attachment from this Route, 16828 the Route MUST be considered detached from the Gateway. 16829 16830 16831 Support: Extended 16832 format: int32 16833 maximum: 65535 16834 minimum: 1 16835 type: integer 16836 sectionName: 16837 description: |- 16838 SectionName is the name of a section within the target resource. In the 16839 following resources, SectionName is interpreted as the following: 16840 16841 16842 * Gateway: Listener name. When both Port (experimental) and SectionName 16843 are specified, the name and port of the selected listener must match 16844 both specified values. 16845 * Service: Port name. When both Port (experimental) and SectionName 16846 are specified, the name and port of the selected listener must match 16847 both specified values. 16848 16849 16850 Implementations MAY choose to support attaching Routes to other resources. 16851 If that is the case, they MUST clearly document how SectionName is 16852 interpreted. 16853 16854 16855 When unspecified (empty string), this will reference the entire resource. 16856 For the purpose of status, an attachment is considered successful if at 16857 least one section in the parent resource accepts it. For example, Gateway 16858 listeners can restrict which Routes can attach to them by Route kind, 16859 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 16860 the referencing Route, the Route MUST be considered successfully 16861 attached. If no Gateway listeners accept attachment from this Route, the 16862 Route MUST be considered detached from the Gateway. 16863 16864 16865 Support: Core 16866 maxLength: 253 16867 minLength: 1 16868 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 16869 type: string 16870 required: 16871 - name 16872 type: object 16873 required: 16874 - controllerName 16875 - parentRef 16876 type: object 16877 maxItems: 32 16878 type: array 16879 required: 16880 - parents 16881 type: object 16882 required: 16883 - spec 16884 type: object 16885 served: true 16886 storage: true 16887 subresources: 16888 status: {} 16889 status: 16890 acceptedNames: 16891 kind: "" 16892 plural: "" 16893 conditions: null 16894 storedVersions: null 16895 --- 16896 apiVersion: apiextensions.k8s.io/v1 16897 kind: CustomResourceDefinition 16898 metadata: 16899 annotations: 16900 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 16901 gateway.networking.k8s.io/bundle-version: v1.1.0 16902 gateway.networking.k8s.io/channel: experimental 16903 creationTimestamp: null 16904 name: udproutes.gateway.networking.k8s.io 16905 spec: 16906 group: gateway.networking.k8s.io 16907 names: 16908 categories: 16909 - gateway-api 16910 kind: UDPRoute 16911 listKind: UDPRouteList 16912 plural: udproutes 16913 singular: udproute 16914 scope: Namespaced 16915 versions: 16916 - additionalPrinterColumns: 16917 - jsonPath: .metadata.creationTimestamp 16918 name: Age 16919 type: date 16920 name: v1alpha2 16921 schema: 16922 openAPIV3Schema: 16923 description: |- 16924 UDPRoute provides a way to route UDP traffic. When combined with a Gateway 16925 listener, it can be used to forward traffic on the port specified by the 16926 listener to a set of backends specified by the UDPRoute. 16927 properties: 16928 apiVersion: 16929 description: |- 16930 APIVersion defines the versioned schema of this representation of an object. 16931 Servers should convert recognized schemas to the latest internal value, and 16932 may reject unrecognized values. 16933 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 16934 type: string 16935 kind: 16936 description: |- 16937 Kind is a string value representing the REST resource this object represents. 16938 Servers may infer this from the endpoint the client submits requests to. 16939 Cannot be updated. 16940 In CamelCase. 16941 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 16942 type: string 16943 metadata: 16944 type: object 16945 spec: 16946 description: Spec defines the desired state of UDPRoute. 16947 properties: 16948 parentRefs: 16949 description: |+ 16950 ParentRefs references the resources (usually Gateways) that a Route wants 16951 to be attached to. Note that the referenced parent resource needs to 16952 allow this for the attachment to be complete. For Gateways, that means 16953 the Gateway needs to allow attachment from Routes of this kind and 16954 namespace. For Services, that means the Service must either be in the same 16955 namespace for a "producer" route, or the mesh implementation must support 16956 and allow "consumer" routes for the referenced Service. ReferenceGrant is 16957 not applicable for governing ParentRefs to Services - it is not possible to 16958 create a "producer" route for a Service in a different namespace from the 16959 Route. 16960 16961 16962 There are two kinds of parent resources with "Core" support: 16963 16964 16965 * Gateway (Gateway conformance profile) 16966 * Service (Mesh conformance profile, ClusterIP Services only) 16967 16968 16969 This API may be extended in the future to support additional kinds of parent 16970 resources. 16971 16972 16973 ParentRefs must be _distinct_. This means either that: 16974 16975 16976 * They select different objects. If this is the case, then parentRef 16977 entries are distinct. In terms of fields, this means that the 16978 multi-part key defined by `group`, `kind`, `namespace`, and `name` must 16979 be unique across all parentRef entries in the Route. 16980 * They do not select different objects, but for each optional field used, 16981 each ParentRef that selects the same object must set the same set of 16982 optional fields to different values. If one ParentRef sets a 16983 combination of optional fields, all must set the same combination. 16984 16985 16986 Some examples: 16987 16988 16989 * If one ParentRef sets `sectionName`, all ParentRefs referencing the 16990 same object must also set `sectionName`. 16991 * If one ParentRef sets `port`, all ParentRefs referencing the same 16992 object must also set `port`. 16993 * If one ParentRef sets `sectionName` and `port`, all ParentRefs 16994 referencing the same object must also set `sectionName` and `port`. 16995 16996 16997 It is possible to separately reference multiple distinct objects that may 16998 be collapsed by an implementation. For example, some implementations may 16999 choose to merge compatible Gateway Listeners together. If that is the 17000 case, the list of routes attached to those resources should also be 17001 merged. 17002 17003 17004 Note that for ParentRefs that cross namespace boundaries, there are specific 17005 rules. Cross-namespace references are only valid if they are explicitly 17006 allowed by something in the namespace they are referring to. For example, 17007 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 17008 generic way to enable other kinds of cross-namespace reference. 17009 17010 17011 17012 ParentRefs from a Route to a Service in the same namespace are "producer" 17013 routes, which apply default routing rules to inbound connections from 17014 any namespace to the Service. 17015 17016 17017 ParentRefs from a Route to a Service in a different namespace are 17018 "consumer" routes, and these routing rules are only applied to outbound 17019 connections originating from the same namespace as the Route, for which 17020 the intended destination of the connections are a Service targeted as a 17021 ParentRef of the Route. 17022 17023 17024 17025 17026 17027 17028 items: 17029 description: |- 17030 ParentReference identifies an API object (usually a Gateway) that can be considered 17031 a parent of this resource (usually a route). There are two kinds of parent resources 17032 with "Core" support: 17033 17034 17035 * Gateway (Gateway conformance profile) 17036 * Service (Mesh conformance profile, ClusterIP Services only) 17037 17038 17039 This API may be extended in the future to support additional kinds of parent 17040 resources. 17041 17042 17043 The API object must be valid in the cluster; the Group and Kind must 17044 be registered in the cluster for this reference to be valid. 17045 properties: 17046 group: 17047 default: gateway.networking.k8s.io 17048 description: |- 17049 Group is the group of the referent. 17050 When unspecified, "gateway.networking.k8s.io" is inferred. 17051 To set the core API group (such as for a "Service" kind referent), 17052 Group must be explicitly set to "" (empty string). 17053 17054 17055 Support: Core 17056 maxLength: 253 17057 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 17058 type: string 17059 kind: 17060 default: Gateway 17061 description: |- 17062 Kind is kind of the referent. 17063 17064 17065 There are two kinds of parent resources with "Core" support: 17066 17067 17068 * Gateway (Gateway conformance profile) 17069 * Service (Mesh conformance profile, ClusterIP Services only) 17070 17071 17072 Support for other resources is Implementation-Specific. 17073 maxLength: 63 17074 minLength: 1 17075 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 17076 type: string 17077 name: 17078 description: |- 17079 Name is the name of the referent. 17080 17081 17082 Support: Core 17083 maxLength: 253 17084 minLength: 1 17085 type: string 17086 namespace: 17087 description: |- 17088 Namespace is the namespace of the referent. When unspecified, this refers 17089 to the local namespace of the Route. 17090 17091 17092 Note that there are specific rules for ParentRefs which cross namespace 17093 boundaries. Cross-namespace references are only valid if they are explicitly 17094 allowed by something in the namespace they are referring to. For example: 17095 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 17096 generic way to enable any other kind of cross-namespace reference. 17097 17098 17099 17100 ParentRefs from a Route to a Service in the same namespace are "producer" 17101 routes, which apply default routing rules to inbound connections from 17102 any namespace to the Service. 17103 17104 17105 ParentRefs from a Route to a Service in a different namespace are 17106 "consumer" routes, and these routing rules are only applied to outbound 17107 connections originating from the same namespace as the Route, for which 17108 the intended destination of the connections are a Service targeted as a 17109 ParentRef of the Route. 17110 17111 17112 17113 Support: Core 17114 maxLength: 63 17115 minLength: 1 17116 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 17117 type: string 17118 port: 17119 description: |- 17120 Port is the network port this Route targets. It can be interpreted 17121 differently based on the type of parent resource. 17122 17123 17124 When the parent resource is a Gateway, this targets all listeners 17125 listening on the specified port that also support this kind of Route(and 17126 select this Route). It's not recommended to set `Port` unless the 17127 networking behaviors specified in a Route must apply to a specific port 17128 as opposed to a listener(s) whose port(s) may be changed. When both Port 17129 and SectionName are specified, the name and port of the selected listener 17130 must match both specified values. 17131 17132 17133 17134 When the parent resource is a Service, this targets a specific port in the 17135 Service spec. When both Port (experimental) and SectionName are specified, 17136 the name and port of the selected port must match both specified values. 17137 17138 17139 17140 Implementations MAY choose to support other parent resources. 17141 Implementations supporting other types of parent resources MUST clearly 17142 document how/if Port is interpreted. 17143 17144 17145 For the purpose of status, an attachment is considered successful as 17146 long as the parent resource accepts it partially. For example, Gateway 17147 listeners can restrict which Routes can attach to them by Route kind, 17148 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 17149 from the referencing Route, the Route MUST be considered successfully 17150 attached. If no Gateway listeners accept attachment from this Route, 17151 the Route MUST be considered detached from the Gateway. 17152 17153 17154 Support: Extended 17155 format: int32 17156 maximum: 65535 17157 minimum: 1 17158 type: integer 17159 sectionName: 17160 description: |- 17161 SectionName is the name of a section within the target resource. In the 17162 following resources, SectionName is interpreted as the following: 17163 17164 17165 * Gateway: Listener name. When both Port (experimental) and SectionName 17166 are specified, the name and port of the selected listener must match 17167 both specified values. 17168 * Service: Port name. When both Port (experimental) and SectionName 17169 are specified, the name and port of the selected listener must match 17170 both specified values. 17171 17172 17173 Implementations MAY choose to support attaching Routes to other resources. 17174 If that is the case, they MUST clearly document how SectionName is 17175 interpreted. 17176 17177 17178 When unspecified (empty string), this will reference the entire resource. 17179 For the purpose of status, an attachment is considered successful if at 17180 least one section in the parent resource accepts it. For example, Gateway 17181 listeners can restrict which Routes can attach to them by Route kind, 17182 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 17183 the referencing Route, the Route MUST be considered successfully 17184 attached. If no Gateway listeners accept attachment from this Route, the 17185 Route MUST be considered detached from the Gateway. 17186 17187 17188 Support: Core 17189 maxLength: 253 17190 minLength: 1 17191 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 17192 type: string 17193 required: 17194 - name 17195 type: object 17196 maxItems: 32 17197 type: array 17198 x-kubernetes-validations: 17199 - message: sectionName or port must be specified when parentRefs includes 17200 2 or more references to the same parent 17201 rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind 17202 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 17203 || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ 17204 == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && 17205 p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) 17206 || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName 17207 == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) 17208 || p2.port == 0)): true))' 17209 - message: sectionName or port must be unique when parentRefs includes 17210 2 or more references to the same parent 17211 rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind 17212 == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) 17213 || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ 17214 == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && 17215 p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) 17216 || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName 17217 == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName 17218 == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) 17219 || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port 17220 == p2.port)))) 17221 rules: 17222 description: Rules are a list of UDP matchers and actions. 17223 items: 17224 description: UDPRouteRule is the configuration for a given rule. 17225 properties: 17226 backendRefs: 17227 description: |- 17228 BackendRefs defines the backend(s) where matching requests should be 17229 sent. If unspecified or invalid (refers to a non-existent resource or a 17230 Service with no endpoints), the underlying implementation MUST actively 17231 reject connection attempts to this backend. Packet drops must 17232 respect weight; if an invalid backend is requested to have 80% of 17233 the packets, then 80% of packets must be dropped instead. 17234 17235 17236 Support: Core for Kubernetes Service 17237 17238 17239 Support: Extended for Kubernetes ServiceImport 17240 17241 17242 Support: Implementation-specific for any other resource 17243 17244 17245 Support for weight: Extended 17246 items: 17247 description: |- 17248 BackendRef defines how a Route should forward a request to a Kubernetes 17249 resource. 17250 17251 17252 Note that when a namespace different than the local namespace is specified, a 17253 ReferenceGrant object is required in the referent namespace to allow that 17254 namespace's owner to accept the reference. See the ReferenceGrant 17255 documentation for details. 17256 17257 17258 <gateway:experimental:description> 17259 17260 17261 When the BackendRef points to a Kubernetes Service, implementations SHOULD 17262 honor the appProtocol field if it is set for the target Service Port. 17263 17264 17265 Implementations supporting appProtocol SHOULD recognize the Kubernetes 17266 Standard Application Protocols defined in KEP-3726. 17267 17268 17269 If a Service appProtocol isn't specified, an implementation MAY infer the 17270 backend protocol through its own means. Implementations MAY infer the 17271 protocol from the Route type referring to the backend Service. 17272 17273 17274 If a Route is not able to send traffic to the backend using the specified 17275 protocol then the backend is considered invalid. Implementations MUST set the 17276 "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. 17277 17278 17279 </gateway:experimental:description> 17280 17281 17282 Note that when the BackendTLSPolicy object is enabled by the implementation, 17283 there are some extra rules about validity to consider here. See the fields 17284 where this struct is used for more information about the exact behavior. 17285 properties: 17286 group: 17287 default: "" 17288 description: |- 17289 Group is the group of the referent. For example, "gateway.networking.k8s.io". 17290 When unspecified or empty string, core API group is inferred. 17291 maxLength: 253 17292 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 17293 type: string 17294 kind: 17295 default: Service 17296 description: |- 17297 Kind is the Kubernetes resource kind of the referent. For example 17298 "Service". 17299 17300 17301 Defaults to "Service" when not specified. 17302 17303 17304 ExternalName services can refer to CNAME DNS records that may live 17305 outside of the cluster and as such are difficult to reason about in 17306 terms of conformance. They also may not be safe to forward to (see 17307 CVE-2021-25740 for more information). Implementations SHOULD NOT 17308 support ExternalName Services. 17309 17310 17311 Support: Core (Services with a type other than ExternalName) 17312 17313 17314 Support: Implementation-specific (Services with type ExternalName) 17315 maxLength: 63 17316 minLength: 1 17317 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 17318 type: string 17319 name: 17320 description: Name is the name of the referent. 17321 maxLength: 253 17322 minLength: 1 17323 type: string 17324 namespace: 17325 description: |- 17326 Namespace is the namespace of the backend. When unspecified, the local 17327 namespace is inferred. 17328 17329 17330 Note that when a namespace different than the local namespace is specified, 17331 a ReferenceGrant object is required in the referent namespace to allow that 17332 namespace's owner to accept the reference. See the ReferenceGrant 17333 documentation for details. 17334 17335 17336 Support: Core 17337 maxLength: 63 17338 minLength: 1 17339 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 17340 type: string 17341 port: 17342 description: |- 17343 Port specifies the destination port number to use for this resource. 17344 Port is required when the referent is a Kubernetes Service. In this 17345 case, the port number is the service port number, not the target port. 17346 For other resources, destination port might be derived from the referent 17347 resource or this field. 17348 format: int32 17349 maximum: 65535 17350 minimum: 1 17351 type: integer 17352 weight: 17353 default: 1 17354 description: |- 17355 Weight specifies the proportion of requests forwarded to the referenced 17356 backend. This is computed as weight/(sum of all weights in this 17357 BackendRefs list). For non-zero values, there may be some epsilon from 17358 the exact proportion defined here depending on the precision an 17359 implementation supports. Weight is not a percentage and the sum of 17360 weights does not need to equal 100. 17361 17362 17363 If only one backend is specified and it has a weight greater than 0, 100% 17364 of the traffic is forwarded to that backend. If weight is set to 0, no 17365 traffic should be forwarded for this entry. If unspecified, weight 17366 defaults to 1. 17367 17368 17369 Support for this field varies based on the context where used. 17370 format: int32 17371 maximum: 1000000 17372 minimum: 0 17373 type: integer 17374 required: 17375 - name 17376 type: object 17377 x-kubernetes-validations: 17378 - message: Must have port for Service reference 17379 rule: '(size(self.group) == 0 && self.kind == ''Service'') 17380 ? has(self.port) : true' 17381 maxItems: 16 17382 minItems: 1 17383 type: array 17384 type: object 17385 maxItems: 16 17386 minItems: 1 17387 type: array 17388 required: 17389 - rules 17390 type: object 17391 status: 17392 description: Status defines the current state of UDPRoute. 17393 properties: 17394 parents: 17395 description: |- 17396 Parents is a list of parent resources (usually Gateways) that are 17397 associated with the route, and the status of the route with respect to 17398 each parent. When this route attaches to a parent, the controller that 17399 manages the parent must add an entry to this list when the controller 17400 first sees the route and should update the entry as appropriate when the 17401 route or gateway is modified. 17402 17403 17404 Note that parent references that cannot be resolved by an implementation 17405 of this API will not be added to this list. Implementations of this API 17406 can only populate Route status for the Gateways/parent resources they are 17407 responsible for. 17408 17409 17410 A maximum of 32 Gateways will be represented in this list. An empty list 17411 means the route has not been attached to any Gateway. 17412 items: 17413 description: |- 17414 RouteParentStatus describes the status of a route with respect to an 17415 associated Parent. 17416 properties: 17417 conditions: 17418 description: |- 17419 Conditions describes the status of the route with respect to the Gateway. 17420 Note that the route's availability is also subject to the Gateway's own 17421 status conditions and listener status. 17422 17423 17424 If the Route's ParentRef specifies an existing Gateway that supports 17425 Routes of this kind AND that Gateway's controller has sufficient access, 17426 then that Gateway's controller MUST set the "Accepted" condition on the 17427 Route, to indicate whether the route has been accepted or rejected by the 17428 Gateway, and why. 17429 17430 17431 A Route MUST be considered "Accepted" if at least one of the Route's 17432 rules is implemented by the Gateway. 17433 17434 17435 There are a number of cases where the "Accepted" condition may not be set 17436 due to lack of controller visibility, that includes when: 17437 17438 17439 * The Route refers to a non-existent parent. 17440 * The Route is of a type that the controller does not support. 17441 * The Route is in a namespace the controller does not have access to. 17442 items: 17443 description: "Condition contains details for one aspect of 17444 the current state of this API Resource.\n---\nThis struct 17445 is intended for direct use as an array at the field path 17446 .status.conditions. For example,\n\n\n\ttype FooStatus 17447 struct{\n\t // Represents the observations of a foo's 17448 current state.\n\t // Known .status.conditions.type are: 17449 \"Available\", \"Progressing\", and \"Degraded\"\n\t // 17450 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // 17451 +listType=map\n\t // +listMapKey=type\n\t Conditions 17452 []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" 17453 patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t 17454 \ // other fields\n\t}" 17455 properties: 17456 lastTransitionTime: 17457 description: |- 17458 lastTransitionTime is the last time the condition transitioned from one status to another. 17459 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. 17460 format: date-time 17461 type: string 17462 message: 17463 description: |- 17464 message is a human readable message indicating details about the transition. 17465 This may be an empty string. 17466 maxLength: 32768 17467 type: string 17468 observedGeneration: 17469 description: |- 17470 observedGeneration represents the .metadata.generation that the condition was set based upon. 17471 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date 17472 with respect to the current state of the instance. 17473 format: int64 17474 minimum: 0 17475 type: integer 17476 reason: 17477 description: |- 17478 reason contains a programmatic identifier indicating the reason for the condition's last transition. 17479 Producers of specific condition types may define expected values and meanings for this field, 17480 and whether the values are considered a guaranteed API. 17481 The value should be a CamelCase string. 17482 This field may not be empty. 17483 maxLength: 1024 17484 minLength: 1 17485 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 17486 type: string 17487 status: 17488 description: status of the condition, one of True, False, 17489 Unknown. 17490 enum: 17491 - "True" 17492 - "False" 17493 - Unknown 17494 type: string 17495 type: 17496 description: |- 17497 type of condition in CamelCase or in foo.example.com/CamelCase. 17498 --- 17499 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be 17500 useful (see .node.status.conditions), the ability to deconflict is important. 17501 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 17502 maxLength: 316 17503 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 17504 type: string 17505 required: 17506 - lastTransitionTime 17507 - message 17508 - reason 17509 - status 17510 - type 17511 type: object 17512 maxItems: 8 17513 minItems: 1 17514 type: array 17515 x-kubernetes-list-map-keys: 17516 - type 17517 x-kubernetes-list-type: map 17518 controllerName: 17519 description: |- 17520 ControllerName is a domain/path string that indicates the name of the 17521 controller that wrote this status. This corresponds with the 17522 controllerName field on GatewayClass. 17523 17524 17525 Example: "example.net/gateway-controller". 17526 17527 17528 The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are 17529 valid Kubernetes names 17530 (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 17531 17532 17533 Controllers MUST populate this field when writing status. Controllers should ensure that 17534 entries to status populated with their ControllerName are cleaned up when they are no 17535 longer necessary. 17536 maxLength: 253 17537 minLength: 1 17538 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 17539 type: string 17540 parentRef: 17541 description: |- 17542 ParentRef corresponds with a ParentRef in the spec that this 17543 RouteParentStatus struct describes the status of. 17544 properties: 17545 group: 17546 default: gateway.networking.k8s.io 17547 description: |- 17548 Group is the group of the referent. 17549 When unspecified, "gateway.networking.k8s.io" is inferred. 17550 To set the core API group (such as for a "Service" kind referent), 17551 Group must be explicitly set to "" (empty string). 17552 17553 17554 Support: Core 17555 maxLength: 253 17556 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 17557 type: string 17558 kind: 17559 default: Gateway 17560 description: |- 17561 Kind is kind of the referent. 17562 17563 17564 There are two kinds of parent resources with "Core" support: 17565 17566 17567 * Gateway (Gateway conformance profile) 17568 * Service (Mesh conformance profile, ClusterIP Services only) 17569 17570 17571 Support for other resources is Implementation-Specific. 17572 maxLength: 63 17573 minLength: 1 17574 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 17575 type: string 17576 name: 17577 description: |- 17578 Name is the name of the referent. 17579 17580 17581 Support: Core 17582 maxLength: 253 17583 minLength: 1 17584 type: string 17585 namespace: 17586 description: |- 17587 Namespace is the namespace of the referent. When unspecified, this refers 17588 to the local namespace of the Route. 17589 17590 17591 Note that there are specific rules for ParentRefs which cross namespace 17592 boundaries. Cross-namespace references are only valid if they are explicitly 17593 allowed by something in the namespace they are referring to. For example: 17594 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 17595 generic way to enable any other kind of cross-namespace reference. 17596 17597 17598 17599 ParentRefs from a Route to a Service in the same namespace are "producer" 17600 routes, which apply default routing rules to inbound connections from 17601 any namespace to the Service. 17602 17603 17604 ParentRefs from a Route to a Service in a different namespace are 17605 "consumer" routes, and these routing rules are only applied to outbound 17606 connections originating from the same namespace as the Route, for which 17607 the intended destination of the connections are a Service targeted as a 17608 ParentRef of the Route. 17609 17610 17611 17612 Support: Core 17613 maxLength: 63 17614 minLength: 1 17615 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 17616 type: string 17617 port: 17618 description: |- 17619 Port is the network port this Route targets. It can be interpreted 17620 differently based on the type of parent resource. 17621 17622 17623 When the parent resource is a Gateway, this targets all listeners 17624 listening on the specified port that also support this kind of Route(and 17625 select this Route). It's not recommended to set `Port` unless the 17626 networking behaviors specified in a Route must apply to a specific port 17627 as opposed to a listener(s) whose port(s) may be changed. When both Port 17628 and SectionName are specified, the name and port of the selected listener 17629 must match both specified values. 17630 17631 17632 17633 When the parent resource is a Service, this targets a specific port in the 17634 Service spec. When both Port (experimental) and SectionName are specified, 17635 the name and port of the selected port must match both specified values. 17636 17637 17638 17639 Implementations MAY choose to support other parent resources. 17640 Implementations supporting other types of parent resources MUST clearly 17641 document how/if Port is interpreted. 17642 17643 17644 For the purpose of status, an attachment is considered successful as 17645 long as the parent resource accepts it partially. For example, Gateway 17646 listeners can restrict which Routes can attach to them by Route kind, 17647 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 17648 from the referencing Route, the Route MUST be considered successfully 17649 attached. If no Gateway listeners accept attachment from this Route, 17650 the Route MUST be considered detached from the Gateway. 17651 17652 17653 Support: Extended 17654 format: int32 17655 maximum: 65535 17656 minimum: 1 17657 type: integer 17658 sectionName: 17659 description: |- 17660 SectionName is the name of a section within the target resource. In the 17661 following resources, SectionName is interpreted as the following: 17662 17663 17664 * Gateway: Listener name. When both Port (experimental) and SectionName 17665 are specified, the name and port of the selected listener must match 17666 both specified values. 17667 * Service: Port name. When both Port (experimental) and SectionName 17668 are specified, the name and port of the selected listener must match 17669 both specified values. 17670 17671 17672 Implementations MAY choose to support attaching Routes to other resources. 17673 If that is the case, they MUST clearly document how SectionName is 17674 interpreted. 17675 17676 17677 When unspecified (empty string), this will reference the entire resource. 17678 For the purpose of status, an attachment is considered successful if at 17679 least one section in the parent resource accepts it. For example, Gateway 17680 listeners can restrict which Routes can attach to them by Route kind, 17681 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 17682 the referencing Route, the Route MUST be considered successfully 17683 attached. If no Gateway listeners accept attachment from this Route, the 17684 Route MUST be considered detached from the Gateway. 17685 17686 17687 Support: Core 17688 maxLength: 253 17689 minLength: 1 17690 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 17691 type: string 17692 required: 17693 - name 17694 type: object 17695 required: 17696 - controllerName 17697 - parentRef 17698 type: object 17699 maxItems: 32 17700 type: array 17701 required: 17702 - parents 17703 type: object 17704 required: 17705 - spec 17706 type: object 17707 served: true 17708 storage: true 17709 subresources: 17710 status: {} 17711 status: 17712 acceptedNames: 17713 kind: "" 17714 plural: "" 17715 conditions: null 17716 storedVersions: null