sigs.k8s.io/gateway-api@v1.0.0/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466 6 gateway.networking.k8s.io/bundle-version: v1.0.0 7 gateway.networking.k8s.io/channel: experimental 8 creationTimestamp: null 9 labels: 10 gateway.networking.k8s.io/policy: Direct 11 name: backendtlspolicies.gateway.networking.k8s.io 12 spec: 13 group: gateway.networking.k8s.io 14 names: 15 categories: 16 - gateway-api 17 kind: BackendTLSPolicy 18 listKind: BackendTLSPolicyList 19 plural: backendtlspolicies 20 shortNames: 21 - btlspolicy 22 singular: backendtlspolicy 23 scope: Namespaced 24 versions: 25 - additionalPrinterColumns: 26 - jsonPath: .metadata.creationTimestamp 27 name: Age 28 type: date 29 name: v1alpha2 30 schema: 31 openAPIV3Schema: 32 description: BackendTLSPolicy provides a way to configure how a Gateway connects 33 to a Backend via TLS. 34 properties: 35 apiVersion: 36 description: 'APIVersion defines the versioned schema of this representation 37 of an object. Servers should convert recognized schemas to the latest 38 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 39 type: string 40 kind: 41 description: 'Kind is a string value representing the REST resource this 42 object represents. Servers may infer this from the endpoint the client 43 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 44 type: string 45 metadata: 46 type: object 47 spec: 48 description: Spec defines the desired state of BackendTLSPolicy. 49 properties: 50 targetRef: 51 description: "TargetRef identifies an API object to apply the policy 52 to. Only Services have Extended support. Implementations MAY support 53 additional objects, with Implementation Specific support. Note that 54 this config applies to the entire referenced resource by default, 55 but this default may change in the future to provide a more granular 56 application of the policy. \n Support: Extended for Kubernetes Service 57 \n Support: Implementation-specific for any other resource" 58 properties: 59 group: 60 description: Group is the group of the target resource. 61 maxLength: 253 62 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 63 type: string 64 kind: 65 description: Kind is kind of the target resource. 66 maxLength: 63 67 minLength: 1 68 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 69 type: string 70 name: 71 description: Name is the name of the target resource. 72 maxLength: 253 73 minLength: 1 74 type: string 75 namespace: 76 description: Namespace is the namespace of the referent. When 77 unspecified, the local namespace is inferred. Even when policy 78 targets a resource in a different namespace, it MUST only apply 79 to traffic originating from the same namespace as the policy. 80 maxLength: 63 81 minLength: 1 82 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 83 type: string 84 sectionName: 85 description: "SectionName is the name of a section within the 86 target resource. When unspecified, this targetRef targets the 87 entire resource. In the following resources, SectionName is 88 interpreted as the following: \n * Gateway: Listener Name * 89 Service: Port Name \n If a SectionName is specified, but does 90 not exist on the targeted object, the Policy must fail to attach, 91 and the policy implementation should record a `ResolvedRefs` 92 or similar Condition in the Policy's status." 93 maxLength: 253 94 minLength: 1 95 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 96 type: string 97 required: 98 - group 99 - kind 100 - name 101 type: object 102 tls: 103 description: TLS contains backend TLS policy configuration. 104 properties: 105 caCertRefs: 106 description: "CACertRefs contains one or more references to Kubernetes 107 objects that contain a PEM-encoded TLS CA certificate bundle, 108 which is used to validate a TLS handshake between the Gateway 109 and backend Pod. \n If CACertRefs is empty or unspecified, then 110 WellKnownCACerts must be specified. Only one of CACertRefs or 111 WellKnownCACerts may be specified, not both. If CACertRefs is 112 empty or unspecified, the configuration for WellKnownCACerts 113 MUST be honored instead. \n References to a resource in a different 114 namespace are invalid for the moment, although we will revisit 115 this in the future. \n A single CACertRef to a Kubernetes ConfigMap 116 kind has \"Core\" support. Implementations MAY choose to support 117 attaching multiple certificates to a backend, but this behavior 118 is implementation-specific. \n Support: Core - An optional single 119 reference to a Kubernetes ConfigMap, with the CA certificate 120 in a key named `ca.crt`. \n Support: Implementation-specific 121 (More than one reference, or other kinds of resources)." 122 items: 123 description: "LocalObjectReference identifies an API object 124 within the namespace of the referrer. The API object must 125 be valid in the cluster; the Group and Kind must be registered 126 in the cluster for this reference to be valid. \n References 127 to objects with invalid Group and Kind are not valid, and 128 must be rejected by the implementation, with appropriate Conditions 129 set on the containing object." 130 properties: 131 group: 132 description: Group is the group of the referent. For example, 133 "gateway.networking.k8s.io". When unspecified or empty 134 string, core API group is inferred. 135 maxLength: 253 136 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 137 type: string 138 kind: 139 description: Kind is kind of the referent. For example "HTTPRoute" 140 or "Service". 141 maxLength: 63 142 minLength: 1 143 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 144 type: string 145 name: 146 description: Name is the name of the referent. 147 maxLength: 253 148 minLength: 1 149 type: string 150 required: 151 - group 152 - kind 153 - name 154 type: object 155 maxItems: 8 156 type: array 157 hostname: 158 description: "Hostname is used for two purposes in the connection 159 between Gateways and backends: \n 1. Hostname MUST be used as 160 the SNI to connect to the backend (RFC 6066). 2. Hostname MUST 161 be used for authentication and MUST match the certificate served 162 by the matching backend. \n Support: Core" 163 maxLength: 253 164 minLength: 1 165 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 166 type: string 167 wellKnownCACerts: 168 description: "WellKnownCACerts specifies whether system CA certificates 169 may be used in the TLS handshake between the gateway and backend 170 pod. \n If WellKnownCACerts is unspecified or empty (\"\"), 171 then CACertRefs must be specified with at least one entry for 172 a valid configuration. Only one of CACertRefs or WellKnownCACerts 173 may be specified, not both. \n Support: Core for \"System\"" 174 enum: 175 - System 176 type: string 177 required: 178 - hostname 179 type: object 180 x-kubernetes-validations: 181 - message: must not contain both CACertRefs and WellKnownCACerts 182 rule: '!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts) 183 && self.wellKnownCACerts != "")' 184 - message: must specify either CACertRefs or WellKnownCACerts 185 rule: (has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts) 186 && self.wellKnownCACerts != "") 187 required: 188 - targetRef 189 - tls 190 type: object 191 status: 192 description: Status defines the current state of BackendTLSPolicy. 193 properties: 194 ancestors: 195 description: "Ancestors is a list of ancestor resources (usually Gateways) 196 that are associated with the policy, and the status of the policy 197 with respect to each ancestor. When this policy attaches to a parent, 198 the controller that manages the parent and the ancestors MUST add 199 an entry to this list when the controller first sees the policy 200 and SHOULD update the entry as appropriate when the relevant ancestor 201 is modified. \n Note that choosing the relevant ancestor is left 202 to the Policy designers; an important part of Policy design is designing 203 the right object level at which to namespace this status. \n Note 204 also that implementations MUST ONLY populate ancestor status for 205 the Ancestor resources they are responsible for. Implementations 206 MUST use the ControllerName field to uniquely identify the entries 207 in this list that they are responsible for. \n Note that to achieve 208 this, the list of PolicyAncestorStatus structs MUST be treated as 209 a map with a composite key, made up of the AncestorRef and ControllerName 210 fields combined. \n A maximum of 16 ancestors will be represented 211 in this list. An empty list means the Policy is not relevant for 212 any ancestors. \n If this slice is full, implementations MUST NOT 213 add further entries. Instead they MUST consider the policy unimplementable 214 and signal that on any related resources such as the ancestor that 215 would be referenced here. For example, if this list was full on 216 BackendTLSPolicy, no additional Gateways would be able to reference 217 the Service targeted by the BackendTLSPolicy." 218 items: 219 description: "PolicyAncestorStatus describes the status of a route 220 with respect to an associated Ancestor. \n Ancestors refer to 221 objects that are either the Target of a policy or above it in 222 terms of object hierarchy. For example, if a policy targets a 223 Service, the Policy's Ancestors are, in order, the Service, the 224 HTTPRoute, the Gateway, and the GatewayClass. Almost always, in 225 this hierarchy, the Gateway will be the most useful object to 226 place Policy status on, so we recommend that implementations SHOULD 227 use Gateway as the PolicyAncestorStatus object unless the designers 228 have a _very_ good reason otherwise. \n In the context of policy 229 attachment, the Ancestor is used to distinguish which resource 230 results in a distinct application of this policy. For example, 231 if a policy targets a Service, it may have a distinct result per 232 attached Gateway. \n Policies targeting the same resource may 233 have different effects depending on the ancestors of those resources. 234 For example, different Gateways targeting the same Service may 235 have different capabilities, especially if they have different 236 underlying implementations. \n For example, in BackendTLSPolicy, 237 the Policy attaches to a Service that is used as a backend in 238 a HTTPRoute that is itself attached to a Gateway. In this case, 239 the relevant object for status is the Gateway, and that is the 240 ancestor object referred to in this status. \n Note that a parent 241 is also an ancestor, so for objects where the parent is the relevant 242 object for status, this struct SHOULD still be used. \n This struct 243 is intended to be used in a slice that's effectively a map, with 244 a composite key made up of the AncestorRef and the ControllerName." 245 properties: 246 ancestorRef: 247 description: AncestorRef corresponds with a ParentRef in the 248 spec that this PolicyAncestorStatus struct describes the status 249 of. 250 properties: 251 group: 252 default: gateway.networking.k8s.io 253 description: "Group is the group of the referent. When unspecified, 254 \"gateway.networking.k8s.io\" is inferred. To set the 255 core API group (such as for a \"Service\" kind referent), 256 Group must be explicitly set to \"\" (empty string). \n 257 Support: Core" 258 maxLength: 253 259 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 260 type: string 261 kind: 262 default: Gateway 263 description: "Kind is kind of the referent. \n There are 264 two kinds of parent resources with \"Core\" support: \n 265 * Gateway (Gateway conformance profile) * Service (Mesh 266 conformance profile, experimental, ClusterIP Services 267 only) \n Support for other resources is Implementation-Specific." 268 maxLength: 63 269 minLength: 1 270 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 271 type: string 272 name: 273 description: "Name is the name of the referent. \n Support: 274 Core" 275 maxLength: 253 276 minLength: 1 277 type: string 278 namespace: 279 description: "Namespace is the namespace of the referent. 280 When unspecified, this refers to the local namespace of 281 the Route. \n Note that there are specific rules for ParentRefs 282 which cross namespace boundaries. Cross-namespace references 283 are only valid if they are explicitly allowed by something 284 in the namespace they are referring to. For example: Gateway 285 has the AllowedRoutes field, and ReferenceGrant provides 286 a generic way to enable any other kind of cross-namespace 287 reference. \n ParentRefs from a Route to a Service in 288 the same namespace are \"producer\" routes, which apply 289 default routing rules to inbound connections from any 290 namespace to the Service. \n ParentRefs from a Route to 291 a Service in a different namespace are \"consumer\" routes, 292 and these routing rules are only applied to outbound connections 293 originating from the same namespace as the Route, for 294 which the intended destination of the connections are 295 a Service targeted as a ParentRef of the Route. \n Support: 296 Core" 297 maxLength: 63 298 minLength: 1 299 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 300 type: string 301 port: 302 description: "Port is the network port this Route targets. 303 It can be interpreted differently based on the type of 304 parent resource. \n When the parent resource is a Gateway, 305 this targets all listeners listening on the specified 306 port that also support this kind of Route(and select this 307 Route). It's not recommended to set `Port` unless the 308 networking behaviors specified in a Route must apply to 309 a specific port as opposed to a listener(s) whose port(s) 310 may be changed. When both Port and SectionName are specified, 311 the name and port of the selected listener must match 312 both specified values. \n When the parent resource is 313 a Service, this targets a specific port in the Service 314 spec. When both Port (experimental) and SectionName are 315 specified, the name and port of the selected port must 316 match both specified values. \n Implementations MAY choose 317 to support other parent resources. Implementations supporting 318 other types of parent resources MUST clearly document 319 how/if Port is interpreted. \n For the purpose of status, 320 an attachment is considered successful as long as the 321 parent resource accepts it partially. For example, Gateway 322 listeners can restrict which Routes can attach to them 323 by Route kind, namespace, or hostname. If 1 of 2 Gateway 324 listeners accept attachment from the referencing Route, 325 the Route MUST be considered successfully attached. If 326 no Gateway listeners accept attachment from this Route, 327 the Route MUST be considered detached from the Gateway. 328 \n Support: Extended \n " 329 format: int32 330 maximum: 65535 331 minimum: 1 332 type: integer 333 sectionName: 334 description: "SectionName is the name of a section within 335 the target resource. In the following resources, SectionName 336 is interpreted as the following: \n * Gateway: Listener 337 Name. When both Port (experimental) and SectionName are 338 specified, the name and port of the selected listener 339 must match both specified values. * Service: Port Name. 340 When both Port (experimental) and SectionName are specified, 341 the name and port of the selected listener must match 342 both specified values. Note that attaching Routes to Services 343 as Parents is part of experimental Mesh support and is 344 not supported for any other purpose. \n Implementations 345 MAY choose to support attaching Routes to other resources. 346 If that is the case, they MUST clearly document how SectionName 347 is interpreted. \n When unspecified (empty string), this 348 will reference the entire resource. For the purpose of 349 status, an attachment is considered successful if at least 350 one section in the parent resource accepts it. For example, 351 Gateway listeners can restrict which Routes can attach 352 to them by Route kind, namespace, or hostname. If 1 of 353 2 Gateway listeners accept attachment from the referencing 354 Route, the Route MUST be considered successfully attached. 355 If no Gateway listeners accept attachment from this Route, 356 the Route MUST be considered detached from the Gateway. 357 \n Support: Core" 358 maxLength: 253 359 minLength: 1 360 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 361 type: string 362 required: 363 - name 364 type: object 365 conditions: 366 description: Conditions describes the status of the Policy with 367 respect to the given Ancestor. 368 items: 369 description: "Condition contains details for one aspect of 370 the current state of this API Resource. --- This struct 371 is intended for direct use as an array at the field path 372 .status.conditions. For example, \n type FooStatus struct{ 373 // Represents the observations of a foo's current state. 374 // Known .status.conditions.type are: \"Available\", \"Progressing\", 375 and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge 376 // +listType=map // +listMapKey=type Conditions []metav1.Condition 377 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" 378 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields 379 }" 380 properties: 381 lastTransitionTime: 382 description: lastTransitionTime is the last time the condition 383 transitioned from one status to another. This should 384 be when the underlying condition changed. If that is 385 not known, then using the time when the API field changed 386 is acceptable. 387 format: date-time 388 type: string 389 message: 390 description: message is a human readable message indicating 391 details about the transition. This may be an empty string. 392 maxLength: 32768 393 type: string 394 observedGeneration: 395 description: observedGeneration represents the .metadata.generation 396 that the condition was set based upon. For instance, 397 if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration 398 is 9, the condition is out of date with respect to the 399 current state of the instance. 400 format: int64 401 minimum: 0 402 type: integer 403 reason: 404 description: reason contains a programmatic identifier 405 indicating the reason for the condition's last transition. 406 Producers of specific condition types may define expected 407 values and meanings for this field, and whether the 408 values are considered a guaranteed API. The value should 409 be a CamelCase string. This field may not be empty. 410 maxLength: 1024 411 minLength: 1 412 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 413 type: string 414 status: 415 description: status of the condition, one of True, False, 416 Unknown. 417 enum: 418 - "True" 419 - "False" 420 - Unknown 421 type: string 422 type: 423 description: type of condition in CamelCase or in foo.example.com/CamelCase. 424 --- Many .condition.type values are consistent across 425 resources like Available, but because arbitrary conditions 426 can be useful (see .node.status.conditions), the ability 427 to deconflict is important. The regex it matches is 428 (dns1123SubdomainFmt/)?(qualifiedNameFmt) 429 maxLength: 316 430 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 431 type: string 432 required: 433 - lastTransitionTime 434 - message 435 - reason 436 - status 437 - type 438 type: object 439 maxItems: 8 440 minItems: 1 441 type: array 442 x-kubernetes-list-map-keys: 443 - type 444 x-kubernetes-list-type: map 445 controllerName: 446 description: "ControllerName is a domain/path string that indicates 447 the name of the controller that wrote this status. This corresponds 448 with the controllerName field on GatewayClass. \n Example: 449 \"example.net/gateway-controller\". \n The format of this 450 field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid 451 Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 452 \n Controllers MUST populate this field when writing status. 453 Controllers should ensure that entries to status populated 454 with their ControllerName are cleaned up when they are no 455 longer necessary." 456 maxLength: 253 457 minLength: 1 458 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 459 type: string 460 required: 461 - ancestorRef 462 - controllerName 463 type: object 464 maxItems: 16 465 type: array 466 required: 467 - ancestors 468 type: object 469 required: 470 - spec 471 type: object 472 served: true 473 storage: true 474 subresources: 475 status: {} 476 status: 477 acceptedNames: 478 kind: "" 479 plural: "" 480 conditions: null 481 storedVersions: null