sigs.k8s.io/gateway-api@v1.0.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466 6 gateway.networking.k8s.io/bundle-version: v1.0.0 7 gateway.networking.k8s.io/channel: standard 8 creationTimestamp: null 9 name: gateways.gateway.networking.k8s.io 10 spec: 11 group: gateway.networking.k8s.io 12 names: 13 categories: 14 - gateway-api 15 kind: Gateway 16 listKind: GatewayList 17 plural: gateways 18 shortNames: 19 - gtw 20 singular: gateway 21 scope: Namespaced 22 versions: 23 - additionalPrinterColumns: 24 - jsonPath: .spec.gatewayClassName 25 name: Class 26 type: string 27 - jsonPath: .status.addresses[*].value 28 name: Address 29 type: string 30 - jsonPath: .status.conditions[?(@.type=="Programmed")].status 31 name: Programmed 32 type: string 33 - jsonPath: .metadata.creationTimestamp 34 name: Age 35 type: date 36 name: v1 37 schema: 38 openAPIV3Schema: 39 description: Gateway represents an instance of a service-traffic handling 40 infrastructure by binding Listeners to a set of IP addresses. 41 properties: 42 apiVersion: 43 description: 'APIVersion defines the versioned schema of this representation 44 of an object. Servers should convert recognized schemas to the latest 45 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 46 type: string 47 kind: 48 description: 'Kind is a string value representing the REST resource this 49 object represents. Servers may infer this from the endpoint the client 50 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 51 type: string 52 metadata: 53 type: object 54 spec: 55 description: Spec defines the desired state of Gateway. 56 properties: 57 addresses: 58 description: "Addresses requested for this Gateway. This is optional 59 and behavior can depend on the implementation. If a value is set 60 in the spec and the requested address is invalid or unavailable, 61 the implementation MUST indicate this in the associated entry in 62 GatewayStatus.Addresses. \n The Addresses field represents a request 63 for the address(es) on the \"outside of the Gateway\", that traffic 64 bound for this Gateway will use. This could be the IP address or 65 hostname of an external load balancer or other networking infrastructure, 66 or some other address that traffic will be sent to. \n If no Addresses 67 are specified, the implementation MAY schedule the Gateway in an 68 implementation-specific manner, assigning an appropriate set of 69 Addresses. \n The implementation MUST bind all Listeners to every 70 GatewayAddress that it assigns to the Gateway and add a corresponding 71 entry in GatewayStatus.Addresses. \n Support: Extended \n " 72 items: 73 description: GatewayAddress describes an address that can be bound 74 to a Gateway. 75 oneOf: 76 - properties: 77 type: 78 enum: 79 - IPAddress 80 value: 81 anyOf: 82 - format: ipv4 83 - format: ipv6 84 - properties: 85 type: 86 not: 87 enum: 88 - IPAddress 89 properties: 90 type: 91 default: IPAddress 92 description: Type of the address. 93 maxLength: 253 94 minLength: 1 95 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 96 type: string 97 value: 98 description: "Value of the address. The validity of the values 99 will depend on the type and support by the controller. \n 100 Examples: `1.2.3.4`, `128::1`, `my-ip-address`." 101 maxLength: 253 102 minLength: 1 103 type: string 104 required: 105 - value 106 type: object 107 x-kubernetes-validations: 108 - message: Hostname value must only contain valid characters (matching 109 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 110 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 111 true' 112 maxItems: 16 113 type: array 114 x-kubernetes-validations: 115 - message: IPAddress values must be unique 116 rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, 117 a2.type == a1.type && a2.value == a1.value) : true )' 118 - message: Hostname values must be unique 119 rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, 120 a2.type == a1.type && a2.value == a1.value) : true )' 121 gatewayClassName: 122 description: GatewayClassName used for this Gateway. This is the name 123 of a GatewayClass resource. 124 maxLength: 253 125 minLength: 1 126 type: string 127 listeners: 128 description: "Listeners associated with this Gateway. Listeners define 129 logical endpoints that are bound on this Gateway's addresses. At 130 least one Listener MUST be specified. \n Each Listener in a set 131 of Listeners (for example, in a single Gateway) MUST be _distinct_, 132 in that a traffic flow MUST be able to be assigned to exactly one 133 listener. (This section uses \"set of Listeners\" rather than \"Listeners 134 in a single Gateway\" because implementations MAY merge configuration 135 from multiple Gateways onto a single data plane, and these rules 136 _also_ apply in that case). \n Practically, this means that each 137 listener in a set MUST have a unique combination of Port, Protocol, 138 and, if supported by the protocol, Hostname. \n Some combinations 139 of port, protocol, and TLS settings are considered Core support 140 and MUST be supported by implementations based on their targeted 141 conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80, 142 Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: 143 Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port: 144 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners 145 have the following property: \n The implementation can match inbound 146 requests to a single distinct Listener. When multiple Listeners 147 share values for fields (for example, two Listeners with the same 148 Port value), the implementation can match requests to only one of 149 the Listeners using other Listener fields. \n For example, the following 150 Listener scenarios are distinct: \n 1. Multiple Listeners with the 151 same Port that all use the \"HTTP\" Protocol that all have unique 152 Hostname values. 2. Multiple Listeners with the same Port that use 153 either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname 154 values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners, 155 where no Listener with the same Protocol has the same Port value. 156 \n Some fields in the Listener struct have possible values that 157 affect whether the Listener is distinct. Hostname is particularly 158 relevant for HTTP or HTTPS protocols. \n When using the Hostname 159 value to select between same-Port, same-Protocol Listeners, the 160 Hostname value must be different on each Listener for the Listener 161 to be distinct. \n When the Listeners are distinct based on Hostname, 162 inbound request hostnames MUST match from the most specific to least 163 specific Hostname values to choose the correct Listener and its 164 associated set of Routes. \n Exact matches must be processed before 165 wildcard matches, and wildcard matches must be processed before 166 fallback (empty Hostname value) matches. For example, `\"foo.example.com\"` 167 takes precedence over `\"*.example.com\"`, and `\"*.example.com\"` 168 takes precedence over `\"\"`. \n Additionally, if there are multiple 169 wildcard entries, more specific wildcard entries must be processed 170 before less specific wildcard entries. For example, `\"*.foo.example.com\"` 171 takes precedence over `\"*.example.com\"`. The precise definition 172 here is that the higher the number of dots in the hostname to the 173 right of the wildcard character, the higher the precedence. \n The 174 wildcard character will match any number of characters _and dots_ 175 to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"` 176 _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners 177 that are not distinct, then those Listeners are Conflicted, and 178 the implementation MUST set the \"Conflicted\" condition in the 179 Listener Status to \"True\". \n Implementations MAY choose to accept 180 a Gateway with some Conflicted Listeners only if they only accept 181 the partial Listener set that contains no Conflicted Listeners. 182 To put this another way, implementations may accept a partial Listener 183 set only if they throw out *all* the conflicting Listeners. No picking 184 one of the conflicting listeners as the winner. This also means 185 that the Gateway must have at least one non-conflicting Listener 186 in this case, otherwise it violates the requirement that at least 187 one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\" 188 condition on the Gateway Status when the Gateway contains Conflicted 189 Listeners whether or not they accept the Gateway. That Condition 190 SHOULD clearly indicate in the Message which Listeners are conflicted, 191 and which are Accepted. Additionally, the Listener status for those 192 listeners SHOULD indicate which Listeners are conflicted and not 193 Accepted. \n A Gateway's Listeners are considered \"compatible\" 194 if: \n 1. They are distinct. 2. The implementation can serve them 195 in compliance with the Addresses requirement that all Listeners 196 are available on all assigned addresses. \n Compatible combinations 197 in Extended support are expected to vary across implementations. 198 A combination that is compatible for one implementation may not 199 be compatible for another. \n For example, an implementation that 200 cannot serve both TCP and UDP listeners on the same address, or 201 cannot mix HTTPS and generic TLS listens on the same port would 202 not consider those cases compatible, even though they are distinct. 203 \n Note that requests SHOULD match at most one Listener. For example, 204 if Listeners are defined for \"foo.example.com\" and \"*.example.com\", 205 a request to \"foo.example.com\" SHOULD only be routed using routes 206 attached to the \"foo.example.com\" Listener (and not the \"*.example.com\" 207 Listener). This concept is known as \"Listener Isolation\". Implementations 208 that do not support Listener Isolation MUST clearly document this. 209 \n Implementations MAY merge separate Gateways onto a single set 210 of Addresses if all Listeners across all Gateways are compatible. 211 \n Support: Core" 212 items: 213 description: Listener embodies the concept of a logical endpoint 214 where a Gateway accepts network connections. 215 properties: 216 allowedRoutes: 217 default: 218 namespaces: 219 from: Same 220 description: "AllowedRoutes defines the types of routes that 221 MAY be attached to a Listener and the trusted namespaces where 222 those Route resources MAY be present. \n Although a client 223 request may match multiple route rules, only one rule may 224 ultimately receive the request. Matching precedence MUST be 225 determined in order of the following criteria: \n * The most 226 specific match as defined by the Route type. * The oldest 227 Route based on creation timestamp. For example, a Route with 228 a creation timestamp of \"2020-09-08 01:02:03\" is given precedence 229 over a Route with a creation timestamp of \"2020-09-08 01:02:04\". 230 * If everything else is equivalent, the Route appearing first 231 in alphabetical order (namespace/name) should be given precedence. 232 For example, foo/bar is given precedence over foo/baz. \n 233 All valid rules within a Route attached to this Listener should 234 be implemented. Invalid Route rules can be ignored (sometimes 235 that will mean the full Route). If a Route rule transitions 236 from valid to invalid, support for that Route rule should 237 be dropped to ensure consistency. For example, even if a filter 238 specified by a Route rule is invalid, the rest of the rules 239 within that Route should still be supported. \n Support: Core" 240 properties: 241 kinds: 242 description: "Kinds specifies the groups and kinds of Routes 243 that are allowed to bind to this Gateway Listener. When 244 unspecified or empty, the kinds of Routes selected are 245 determined using the Listener protocol. \n A RouteGroupKind 246 MUST correspond to kinds of Routes that are compatible 247 with the application protocol specified in the Listener's 248 Protocol field. If an implementation does not support 249 or recognize this resource type, it MUST set the \"ResolvedRefs\" 250 condition to False for this Listener with the \"InvalidRouteKinds\" 251 reason. \n Support: Core" 252 items: 253 description: RouteGroupKind indicates the group and kind 254 of a Route resource. 255 properties: 256 group: 257 default: gateway.networking.k8s.io 258 description: Group is the group of the Route. 259 maxLength: 253 260 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 261 type: string 262 kind: 263 description: Kind is the kind of the Route. 264 maxLength: 63 265 minLength: 1 266 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 267 type: string 268 required: 269 - kind 270 type: object 271 maxItems: 8 272 type: array 273 namespaces: 274 default: 275 from: Same 276 description: "Namespaces indicates namespaces from which 277 Routes may be attached to this Listener. This is restricted 278 to the namespace of this Gateway by default. \n Support: 279 Core" 280 properties: 281 from: 282 default: Same 283 description: "From indicates where Routes will be selected 284 for this Gateway. Possible values are: \n * All: Routes 285 in all namespaces may be used by this Gateway. * Selector: 286 Routes in namespaces selected by the selector may 287 be used by this Gateway. * Same: Only Routes in the 288 same namespace may be used by this Gateway. \n Support: 289 Core" 290 enum: 291 - All 292 - Selector 293 - Same 294 type: string 295 selector: 296 description: "Selector must be specified when From is 297 set to \"Selector\". In that case, only Routes in 298 Namespaces matching this Selector will be selected 299 by this Gateway. This field is ignored for other values 300 of \"From\". \n Support: Core" 301 properties: 302 matchExpressions: 303 description: matchExpressions is a list of label 304 selector requirements. The requirements are ANDed. 305 items: 306 description: A label selector requirement is a 307 selector that contains values, a key, and an 308 operator that relates the key and values. 309 properties: 310 key: 311 description: key is the label key that the 312 selector applies to. 313 type: string 314 operator: 315 description: operator represents a key's relationship 316 to a set of values. Valid operators are 317 In, NotIn, Exists and DoesNotExist. 318 type: string 319 values: 320 description: values is an array of string 321 values. If the operator is In or NotIn, 322 the values array must be non-empty. If the 323 operator is Exists or DoesNotExist, the 324 values array must be empty. This array is 325 replaced during a strategic merge patch. 326 items: 327 type: string 328 type: array 329 required: 330 - key 331 - operator 332 type: object 333 type: array 334 matchLabels: 335 additionalProperties: 336 type: string 337 description: matchLabels is a map of {key,value} 338 pairs. A single {key,value} in the matchLabels 339 map is equivalent to an element of matchExpressions, 340 whose key field is "key", the operator is "In", 341 and the values array contains only "value". The 342 requirements are ANDed. 343 type: object 344 type: object 345 x-kubernetes-map-type: atomic 346 type: object 347 type: object 348 hostname: 349 description: "Hostname specifies the virtual hostname to match 350 for protocol types that define this concept. When unspecified, 351 all hostnames are matched. This field is ignored for protocols 352 that don't require hostname based matching. \n Implementations 353 MUST apply Hostname matching appropriately for each of the 354 following protocols: \n * TLS: The Listener Hostname MUST 355 match the SNI. * HTTP: The Listener Hostname MUST match the 356 Host header of the request. * HTTPS: The Listener Hostname 357 SHOULD match at both the TLS and HTTP protocol layers as described 358 above. If an implementation does not ensure that both the 359 SNI and Host header match the Listener hostname, it MUST clearly 360 document that. \n For HTTPRoute and TLSRoute resources, there 361 is an interaction with the `spec.hostnames` array. When both 362 listener and route specify hostnames, there MUST be an intersection 363 between the values for a Route to be accepted. For more information, 364 refer to the Route specific Hostnames documentation. \n Hostnames 365 that are prefixed with a wildcard label (`*.`) are interpreted 366 as a suffix match. That means that a match for `*.example.com` 367 would match both `test.example.com`, and `foo.test.example.com`, 368 but not `example.com`. \n Support: Core" 369 maxLength: 253 370 minLength: 1 371 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 372 type: string 373 name: 374 description: "Name is the name of the Listener. This name MUST 375 be unique within a Gateway. \n Support: Core" 376 maxLength: 253 377 minLength: 1 378 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 379 type: string 380 port: 381 description: "Port is the network port. Multiple listeners may 382 use the same port, subject to the Listener compatibility rules. 383 \n Support: Core" 384 format: int32 385 maximum: 65535 386 minimum: 1 387 type: integer 388 protocol: 389 description: "Protocol specifies the network protocol this listener 390 expects to receive. \n Support: Core" 391 maxLength: 255 392 minLength: 1 393 pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ 394 type: string 395 tls: 396 description: "TLS is the TLS configuration for the Listener. 397 This field is required if the Protocol field is \"HTTPS\" 398 or \"TLS\". It is invalid to set this field if the Protocol 399 field is \"HTTP\", \"TCP\", or \"UDP\". \n The association 400 of SNIs to Certificate defined in GatewayTLSConfig is defined 401 based on the Hostname field for this listener. \n The GatewayClass 402 MUST use the longest matching SNI out of all available certificates 403 for any TLS handshake. \n Support: Core" 404 properties: 405 certificateRefs: 406 description: "CertificateRefs contains a series of references 407 to Kubernetes objects that contains TLS certificates and 408 private keys. These certificates are used to establish 409 a TLS handshake for requests that match the hostname of 410 the associated listener. \n A single CertificateRef to 411 a Kubernetes Secret has \"Core\" support. Implementations 412 MAY choose to support attaching multiple certificates 413 to a Listener, but this behavior is implementation-specific. 414 \n References to a resource in different namespace are 415 invalid UNLESS there is a ReferenceGrant in the target 416 namespace that allows the certificate to be attached. 417 If a ReferenceGrant does not allow this reference, the 418 \"ResolvedRefs\" condition MUST be set to False for this 419 listener with the \"RefNotPermitted\" reason. \n This 420 field is required to have at least one element when the 421 mode is set to \"Terminate\" (default) and is optional 422 otherwise. \n CertificateRefs can reference to standard 423 Kubernetes resources, i.e. Secret, or implementation-specific 424 custom resources. \n Support: Core - A single reference 425 to a Kubernetes Secret of type kubernetes.io/tls \n Support: 426 Implementation-specific (More than one reference or other 427 resource types)" 428 items: 429 description: "SecretObjectReference identifies an API 430 object including its namespace, defaulting to Secret. 431 \n The API object must be valid in the cluster; the 432 Group and Kind must be registered in the cluster for 433 this reference to be valid. \n References to objects 434 with invalid Group and Kind are not valid, and must 435 be rejected by the implementation, with appropriate 436 Conditions set on the containing object." 437 properties: 438 group: 439 default: "" 440 description: Group is the group of the referent. For 441 example, "gateway.networking.k8s.io". When unspecified 442 or empty string, core API group is inferred. 443 maxLength: 253 444 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 445 type: string 446 kind: 447 default: Secret 448 description: Kind is kind of the referent. For example 449 "Secret". 450 maxLength: 63 451 minLength: 1 452 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 453 type: string 454 name: 455 description: Name is the name of the referent. 456 maxLength: 253 457 minLength: 1 458 type: string 459 namespace: 460 description: "Namespace is the namespace of the referenced 461 object. When unspecified, the local namespace is 462 inferred. \n Note that when a namespace different 463 than the local namespace is specified, a ReferenceGrant 464 object is required in the referent namespace to 465 allow that namespace's owner to accept the reference. 466 See the ReferenceGrant documentation for details. 467 \n Support: Core" 468 maxLength: 63 469 minLength: 1 470 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 471 type: string 472 required: 473 - name 474 type: object 475 maxItems: 64 476 type: array 477 mode: 478 default: Terminate 479 description: "Mode defines the TLS behavior for the TLS 480 session initiated by the client. There are two possible 481 modes: \n - Terminate: The TLS session between the downstream 482 client and the Gateway is terminated at the Gateway. This 483 mode requires certificateRefs to be set and contain at 484 least one element. - Passthrough: The TLS session is NOT 485 terminated by the Gateway. This implies that the Gateway 486 can't decipher the TLS stream except for the ClientHello 487 message of the TLS protocol. CertificateRefs field is 488 ignored in this mode. \n Support: Core" 489 enum: 490 - Terminate 491 - Passthrough 492 type: string 493 options: 494 additionalProperties: 495 description: AnnotationValue is the value of an annotation 496 in Gateway API. This is used for validation of maps 497 such as TLS options. This roughly matches Kubernetes 498 annotation validation, although the length validation 499 in that case is based on the entire size of the annotations 500 struct. 501 maxLength: 4096 502 minLength: 0 503 type: string 504 description: "Options are a list of key/value pairs to enable 505 extended TLS configuration for each implementation. For 506 example, configuring the minimum TLS version or supported 507 cipher suites. \n A set of common keys MAY be defined 508 by the API in the future. To avoid any ambiguity, implementation-specific 509 definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. 510 Un-prefixed names are reserved for key names defined by 511 Gateway API. \n Support: Implementation-specific" 512 maxProperties: 16 513 type: object 514 type: object 515 x-kubernetes-validations: 516 - message: certificateRefs must be specified when TLSModeType 517 is Terminate 518 rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) 519 > 0 : true' 520 required: 521 - name 522 - port 523 - protocol 524 type: object 525 maxItems: 64 526 minItems: 1 527 type: array 528 x-kubernetes-list-map-keys: 529 - name 530 x-kubernetes-list-type: map 531 x-kubernetes-validations: 532 - message: tls must be specified for protocols ['HTTPS', 'TLS'] 533 rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls) 534 : true)' 535 - message: tls must not be specified for protocols ['HTTP', 'TCP', 536 'UDP'] 537 rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? 538 !has(l.tls) : true)' 539 - message: hostname must not be specified for protocols ['TCP', 'UDP'] 540 rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) 541 || l.hostname == '''') : true)' 542 - message: Listener name must be unique within the Gateway 543 rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) 544 - message: Combination of port, protocol and hostname must be unique 545 for each listener 546 rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol 547 == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname 548 == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' 549 required: 550 - gatewayClassName 551 - listeners 552 type: object 553 status: 554 default: 555 conditions: 556 - lastTransitionTime: "1970-01-01T00:00:00Z" 557 message: Waiting for controller 558 reason: Pending 559 status: Unknown 560 type: Accepted 561 - lastTransitionTime: "1970-01-01T00:00:00Z" 562 message: Waiting for controller 563 reason: Pending 564 status: Unknown 565 type: Programmed 566 description: Status defines the current state of Gateway. 567 properties: 568 addresses: 569 description: "Addresses lists the network addresses that have been 570 bound to the Gateway. \n This list may differ from the addresses 571 provided in the spec under some conditions: \n * no addresses are 572 specified, all addresses are dynamically assigned * a combination 573 of specified and dynamic addresses are assigned * a specified address 574 was unusable (e.g. already in use) \n " 575 items: 576 description: GatewayStatusAddress describes a network address that 577 is bound to a Gateway. 578 oneOf: 579 - properties: 580 type: 581 enum: 582 - IPAddress 583 value: 584 anyOf: 585 - format: ipv4 586 - format: ipv6 587 - properties: 588 type: 589 not: 590 enum: 591 - IPAddress 592 properties: 593 type: 594 default: IPAddress 595 description: Type of the address. 596 maxLength: 253 597 minLength: 1 598 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 599 type: string 600 value: 601 description: "Value of the address. The validity of the values 602 will depend on the type and support by the controller. \n 603 Examples: `1.2.3.4`, `128::1`, `my-ip-address`." 604 maxLength: 253 605 minLength: 1 606 type: string 607 required: 608 - value 609 type: object 610 x-kubernetes-validations: 611 - message: Hostname value must only contain valid characters (matching 612 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 613 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 614 true' 615 maxItems: 16 616 type: array 617 conditions: 618 default: 619 - lastTransitionTime: "1970-01-01T00:00:00Z" 620 message: Waiting for controller 621 reason: Pending 622 status: Unknown 623 type: Accepted 624 - lastTransitionTime: "1970-01-01T00:00:00Z" 625 message: Waiting for controller 626 reason: Pending 627 status: Unknown 628 type: Programmed 629 description: "Conditions describe the current conditions of the Gateway. 630 \n Implementations should prefer to express Gateway conditions using 631 the `GatewayConditionType` and `GatewayConditionReason` constants 632 so that operators and tools can converge on a common vocabulary 633 to describe Gateway state. \n Known condition types are: \n * \"Accepted\" 634 * \"Programmed\" * \"Ready\"" 635 items: 636 description: "Condition contains details for one aspect of the current 637 state of this API Resource. --- This struct is intended for direct 638 use as an array at the field path .status.conditions. For example, 639 \n type FooStatus struct{ // Represents the observations of a 640 foo's current state. // Known .status.conditions.type are: \"Available\", 641 \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge 642 // +listType=map // +listMapKey=type Conditions []metav1.Condition 643 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" 644 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" 645 properties: 646 lastTransitionTime: 647 description: lastTransitionTime is the last time the condition 648 transitioned from one status to another. This should be when 649 the underlying condition changed. If that is not known, then 650 using the time when the API field changed is acceptable. 651 format: date-time 652 type: string 653 message: 654 description: message is a human readable message indicating 655 details about the transition. This may be an empty string. 656 maxLength: 32768 657 type: string 658 observedGeneration: 659 description: observedGeneration represents the .metadata.generation 660 that the condition was set based upon. For instance, if .metadata.generation 661 is currently 12, but the .status.conditions[x].observedGeneration 662 is 9, the condition is out of date with respect to the current 663 state of the instance. 664 format: int64 665 minimum: 0 666 type: integer 667 reason: 668 description: reason contains a programmatic identifier indicating 669 the reason for the condition's last transition. Producers 670 of specific condition types may define expected values and 671 meanings for this field, and whether the values are considered 672 a guaranteed API. The value should be a CamelCase string. 673 This field may not be empty. 674 maxLength: 1024 675 minLength: 1 676 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 677 type: string 678 status: 679 description: status of the condition, one of True, False, Unknown. 680 enum: 681 - "True" 682 - "False" 683 - Unknown 684 type: string 685 type: 686 description: type of condition in CamelCase or in foo.example.com/CamelCase. 687 --- Many .condition.type values are consistent across resources 688 like Available, but because arbitrary conditions can be useful 689 (see .node.status.conditions), the ability to deconflict is 690 important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 691 maxLength: 316 692 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 693 type: string 694 required: 695 - lastTransitionTime 696 - message 697 - reason 698 - status 699 - type 700 type: object 701 maxItems: 8 702 type: array 703 x-kubernetes-list-map-keys: 704 - type 705 x-kubernetes-list-type: map 706 listeners: 707 description: Listeners provide status for each unique listener port 708 defined in the Spec. 709 items: 710 description: ListenerStatus is the status associated with a Listener. 711 properties: 712 attachedRoutes: 713 description: "AttachedRoutes represents the total number of 714 Routes that have been successfully attached to this Listener. 715 \n Successful attachment of a Route to a Listener is based 716 solely on the combination of the AllowedRoutes field on the 717 corresponding Listener and the Route's ParentRefs field. A 718 Route is successfully attached to a Listener when it is selected 719 by the Listener's AllowedRoutes field AND the Route has a 720 valid ParentRef selecting the whole Gateway resource or a 721 specific Listener as a parent resource (more detail on attachment 722 semantics can be found in the documentation on the various 723 Route kinds ParentRefs fields). Listener or Route status does 724 not impact successful attachment, i.e. the AttachedRoutes 725 field count MUST be set for Listeners with condition Accepted: 726 false and MUST count successfully attached Routes that may 727 themselves have Accepted: false conditions. \n Uses for this 728 field include troubleshooting Route attachment and measuring 729 blast radius/impact of changes to a Listener." 730 format: int32 731 type: integer 732 conditions: 733 description: Conditions describe the current condition of this 734 listener. 735 items: 736 description: "Condition contains details for one aspect of 737 the current state of this API Resource. --- This struct 738 is intended for direct use as an array at the field path 739 .status.conditions. For example, \n type FooStatus struct{ 740 // Represents the observations of a foo's current state. 741 // Known .status.conditions.type are: \"Available\", \"Progressing\", 742 and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge 743 // +listType=map // +listMapKey=type Conditions []metav1.Condition 744 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" 745 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields 746 }" 747 properties: 748 lastTransitionTime: 749 description: lastTransitionTime is the last time the condition 750 transitioned from one status to another. This should 751 be when the underlying condition changed. If that is 752 not known, then using the time when the API field changed 753 is acceptable. 754 format: date-time 755 type: string 756 message: 757 description: message is a human readable message indicating 758 details about the transition. This may be an empty string. 759 maxLength: 32768 760 type: string 761 observedGeneration: 762 description: observedGeneration represents the .metadata.generation 763 that the condition was set based upon. For instance, 764 if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration 765 is 9, the condition is out of date with respect to the 766 current state of the instance. 767 format: int64 768 minimum: 0 769 type: integer 770 reason: 771 description: reason contains a programmatic identifier 772 indicating the reason for the condition's last transition. 773 Producers of specific condition types may define expected 774 values and meanings for this field, and whether the 775 values are considered a guaranteed API. The value should 776 be a CamelCase string. This field may not be empty. 777 maxLength: 1024 778 minLength: 1 779 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 780 type: string 781 status: 782 description: status of the condition, one of True, False, 783 Unknown. 784 enum: 785 - "True" 786 - "False" 787 - Unknown 788 type: string 789 type: 790 description: type of condition in CamelCase or in foo.example.com/CamelCase. 791 --- Many .condition.type values are consistent across 792 resources like Available, but because arbitrary conditions 793 can be useful (see .node.status.conditions), the ability 794 to deconflict is important. The regex it matches is 795 (dns1123SubdomainFmt/)?(qualifiedNameFmt) 796 maxLength: 316 797 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 798 type: string 799 required: 800 - lastTransitionTime 801 - message 802 - reason 803 - status 804 - type 805 type: object 806 maxItems: 8 807 type: array 808 x-kubernetes-list-map-keys: 809 - type 810 x-kubernetes-list-type: map 811 name: 812 description: Name is the name of the Listener that this status 813 corresponds to. 814 maxLength: 253 815 minLength: 1 816 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 817 type: string 818 supportedKinds: 819 description: "SupportedKinds is the list indicating the Kinds 820 supported by this listener. This MUST represent the kinds 821 an implementation supports for that Listener configuration. 822 \n If kinds are specified in Spec that are not supported, 823 they MUST NOT appear in this list and an implementation MUST 824 set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" 825 reason. If both valid and invalid Route kinds are specified, 826 the implementation MUST reference the valid Route kinds that 827 have been specified." 828 items: 829 description: RouteGroupKind indicates the group and kind of 830 a Route resource. 831 properties: 832 group: 833 default: gateway.networking.k8s.io 834 description: Group is the group of the Route. 835 maxLength: 253 836 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 837 type: string 838 kind: 839 description: Kind is the kind of the Route. 840 maxLength: 63 841 minLength: 1 842 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 843 type: string 844 required: 845 - kind 846 type: object 847 maxItems: 8 848 type: array 849 required: 850 - attachedRoutes 851 - conditions 852 - name 853 - supportedKinds 854 type: object 855 maxItems: 64 856 type: array 857 x-kubernetes-list-map-keys: 858 - name 859 x-kubernetes-list-type: map 860 type: object 861 required: 862 - spec 863 type: object 864 served: true 865 storage: false 866 subresources: 867 status: {} 868 - additionalPrinterColumns: 869 - jsonPath: .spec.gatewayClassName 870 name: Class 871 type: string 872 - jsonPath: .status.addresses[*].value 873 name: Address 874 type: string 875 - jsonPath: .status.conditions[?(@.type=="Programmed")].status 876 name: Programmed 877 type: string 878 - jsonPath: .metadata.creationTimestamp 879 name: Age 880 type: date 881 name: v1beta1 882 schema: 883 openAPIV3Schema: 884 description: Gateway represents an instance of a service-traffic handling 885 infrastructure by binding Listeners to a set of IP addresses. 886 properties: 887 apiVersion: 888 description: 'APIVersion defines the versioned schema of this representation 889 of an object. Servers should convert recognized schemas to the latest 890 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 891 type: string 892 kind: 893 description: 'Kind is a string value representing the REST resource this 894 object represents. Servers may infer this from the endpoint the client 895 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 896 type: string 897 metadata: 898 type: object 899 spec: 900 description: Spec defines the desired state of Gateway. 901 properties: 902 addresses: 903 description: "Addresses requested for this Gateway. This is optional 904 and behavior can depend on the implementation. If a value is set 905 in the spec and the requested address is invalid or unavailable, 906 the implementation MUST indicate this in the associated entry in 907 GatewayStatus.Addresses. \n The Addresses field represents a request 908 for the address(es) on the \"outside of the Gateway\", that traffic 909 bound for this Gateway will use. This could be the IP address or 910 hostname of an external load balancer or other networking infrastructure, 911 or some other address that traffic will be sent to. \n If no Addresses 912 are specified, the implementation MAY schedule the Gateway in an 913 implementation-specific manner, assigning an appropriate set of 914 Addresses. \n The implementation MUST bind all Listeners to every 915 GatewayAddress that it assigns to the Gateway and add a corresponding 916 entry in GatewayStatus.Addresses. \n Support: Extended \n " 917 items: 918 description: GatewayAddress describes an address that can be bound 919 to a Gateway. 920 oneOf: 921 - properties: 922 type: 923 enum: 924 - IPAddress 925 value: 926 anyOf: 927 - format: ipv4 928 - format: ipv6 929 - properties: 930 type: 931 not: 932 enum: 933 - IPAddress 934 properties: 935 type: 936 default: IPAddress 937 description: Type of the address. 938 maxLength: 253 939 minLength: 1 940 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 941 type: string 942 value: 943 description: "Value of the address. The validity of the values 944 will depend on the type and support by the controller. \n 945 Examples: `1.2.3.4`, `128::1`, `my-ip-address`." 946 maxLength: 253 947 minLength: 1 948 type: string 949 required: 950 - value 951 type: object 952 x-kubernetes-validations: 953 - message: Hostname value must only contain valid characters (matching 954 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 955 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 956 true' 957 maxItems: 16 958 type: array 959 x-kubernetes-validations: 960 - message: IPAddress values must be unique 961 rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, 962 a2.type == a1.type && a2.value == a1.value) : true )' 963 - message: Hostname values must be unique 964 rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, 965 a2.type == a1.type && a2.value == a1.value) : true )' 966 gatewayClassName: 967 description: GatewayClassName used for this Gateway. This is the name 968 of a GatewayClass resource. 969 maxLength: 253 970 minLength: 1 971 type: string 972 listeners: 973 description: "Listeners associated with this Gateway. Listeners define 974 logical endpoints that are bound on this Gateway's addresses. At 975 least one Listener MUST be specified. \n Each Listener in a set 976 of Listeners (for example, in a single Gateway) MUST be _distinct_, 977 in that a traffic flow MUST be able to be assigned to exactly one 978 listener. (This section uses \"set of Listeners\" rather than \"Listeners 979 in a single Gateway\" because implementations MAY merge configuration 980 from multiple Gateways onto a single data plane, and these rules 981 _also_ apply in that case). \n Practically, this means that each 982 listener in a set MUST have a unique combination of Port, Protocol, 983 and, if supported by the protocol, Hostname. \n Some combinations 984 of port, protocol, and TLS settings are considered Core support 985 and MUST be supported by implementations based on their targeted 986 conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80, 987 Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: 988 Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port: 989 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners 990 have the following property: \n The implementation can match inbound 991 requests to a single distinct Listener. When multiple Listeners 992 share values for fields (for example, two Listeners with the same 993 Port value), the implementation can match requests to only one of 994 the Listeners using other Listener fields. \n For example, the following 995 Listener scenarios are distinct: \n 1. Multiple Listeners with the 996 same Port that all use the \"HTTP\" Protocol that all have unique 997 Hostname values. 2. Multiple Listeners with the same Port that use 998 either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname 999 values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners, 1000 where no Listener with the same Protocol has the same Port value. 1001 \n Some fields in the Listener struct have possible values that 1002 affect whether the Listener is distinct. Hostname is particularly 1003 relevant for HTTP or HTTPS protocols. \n When using the Hostname 1004 value to select between same-Port, same-Protocol Listeners, the 1005 Hostname value must be different on each Listener for the Listener 1006 to be distinct. \n When the Listeners are distinct based on Hostname, 1007 inbound request hostnames MUST match from the most specific to least 1008 specific Hostname values to choose the correct Listener and its 1009 associated set of Routes. \n Exact matches must be processed before 1010 wildcard matches, and wildcard matches must be processed before 1011 fallback (empty Hostname value) matches. For example, `\"foo.example.com\"` 1012 takes precedence over `\"*.example.com\"`, and `\"*.example.com\"` 1013 takes precedence over `\"\"`. \n Additionally, if there are multiple 1014 wildcard entries, more specific wildcard entries must be processed 1015 before less specific wildcard entries. For example, `\"*.foo.example.com\"` 1016 takes precedence over `\"*.example.com\"`. The precise definition 1017 here is that the higher the number of dots in the hostname to the 1018 right of the wildcard character, the higher the precedence. \n The 1019 wildcard character will match any number of characters _and dots_ 1020 to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"` 1021 _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners 1022 that are not distinct, then those Listeners are Conflicted, and 1023 the implementation MUST set the \"Conflicted\" condition in the 1024 Listener Status to \"True\". \n Implementations MAY choose to accept 1025 a Gateway with some Conflicted Listeners only if they only accept 1026 the partial Listener set that contains no Conflicted Listeners. 1027 To put this another way, implementations may accept a partial Listener 1028 set only if they throw out *all* the conflicting Listeners. No picking 1029 one of the conflicting listeners as the winner. This also means 1030 that the Gateway must have at least one non-conflicting Listener 1031 in this case, otherwise it violates the requirement that at least 1032 one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\" 1033 condition on the Gateway Status when the Gateway contains Conflicted 1034 Listeners whether or not they accept the Gateway. That Condition 1035 SHOULD clearly indicate in the Message which Listeners are conflicted, 1036 and which are Accepted. Additionally, the Listener status for those 1037 listeners SHOULD indicate which Listeners are conflicted and not 1038 Accepted. \n A Gateway's Listeners are considered \"compatible\" 1039 if: \n 1. They are distinct. 2. The implementation can serve them 1040 in compliance with the Addresses requirement that all Listeners 1041 are available on all assigned addresses. \n Compatible combinations 1042 in Extended support are expected to vary across implementations. 1043 A combination that is compatible for one implementation may not 1044 be compatible for another. \n For example, an implementation that 1045 cannot serve both TCP and UDP listeners on the same address, or 1046 cannot mix HTTPS and generic TLS listens on the same port would 1047 not consider those cases compatible, even though they are distinct. 1048 \n Note that requests SHOULD match at most one Listener. For example, 1049 if Listeners are defined for \"foo.example.com\" and \"*.example.com\", 1050 a request to \"foo.example.com\" SHOULD only be routed using routes 1051 attached to the \"foo.example.com\" Listener (and not the \"*.example.com\" 1052 Listener). This concept is known as \"Listener Isolation\". Implementations 1053 that do not support Listener Isolation MUST clearly document this. 1054 \n Implementations MAY merge separate Gateways onto a single set 1055 of Addresses if all Listeners across all Gateways are compatible. 1056 \n Support: Core" 1057 items: 1058 description: Listener embodies the concept of a logical endpoint 1059 where a Gateway accepts network connections. 1060 properties: 1061 allowedRoutes: 1062 default: 1063 namespaces: 1064 from: Same 1065 description: "AllowedRoutes defines the types of routes that 1066 MAY be attached to a Listener and the trusted namespaces where 1067 those Route resources MAY be present. \n Although a client 1068 request may match multiple route rules, only one rule may 1069 ultimately receive the request. Matching precedence MUST be 1070 determined in order of the following criteria: \n * The most 1071 specific match as defined by the Route type. * The oldest 1072 Route based on creation timestamp. For example, a Route with 1073 a creation timestamp of \"2020-09-08 01:02:03\" is given precedence 1074 over a Route with a creation timestamp of \"2020-09-08 01:02:04\". 1075 * If everything else is equivalent, the Route appearing first 1076 in alphabetical order (namespace/name) should be given precedence. 1077 For example, foo/bar is given precedence over foo/baz. \n 1078 All valid rules within a Route attached to this Listener should 1079 be implemented. Invalid Route rules can be ignored (sometimes 1080 that will mean the full Route). If a Route rule transitions 1081 from valid to invalid, support for that Route rule should 1082 be dropped to ensure consistency. For example, even if a filter 1083 specified by a Route rule is invalid, the rest of the rules 1084 within that Route should still be supported. \n Support: Core" 1085 properties: 1086 kinds: 1087 description: "Kinds specifies the groups and kinds of Routes 1088 that are allowed to bind to this Gateway Listener. When 1089 unspecified or empty, the kinds of Routes selected are 1090 determined using the Listener protocol. \n A RouteGroupKind 1091 MUST correspond to kinds of Routes that are compatible 1092 with the application protocol specified in the Listener's 1093 Protocol field. If an implementation does not support 1094 or recognize this resource type, it MUST set the \"ResolvedRefs\" 1095 condition to False for this Listener with the \"InvalidRouteKinds\" 1096 reason. \n Support: Core" 1097 items: 1098 description: RouteGroupKind indicates the group and kind 1099 of a Route resource. 1100 properties: 1101 group: 1102 default: gateway.networking.k8s.io 1103 description: Group is the group of the Route. 1104 maxLength: 253 1105 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1106 type: string 1107 kind: 1108 description: Kind is the kind of the Route. 1109 maxLength: 63 1110 minLength: 1 1111 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1112 type: string 1113 required: 1114 - kind 1115 type: object 1116 maxItems: 8 1117 type: array 1118 namespaces: 1119 default: 1120 from: Same 1121 description: "Namespaces indicates namespaces from which 1122 Routes may be attached to this Listener. This is restricted 1123 to the namespace of this Gateway by default. \n Support: 1124 Core" 1125 properties: 1126 from: 1127 default: Same 1128 description: "From indicates where Routes will be selected 1129 for this Gateway. Possible values are: \n * All: Routes 1130 in all namespaces may be used by this Gateway. * Selector: 1131 Routes in namespaces selected by the selector may 1132 be used by this Gateway. * Same: Only Routes in the 1133 same namespace may be used by this Gateway. \n Support: 1134 Core" 1135 enum: 1136 - All 1137 - Selector 1138 - Same 1139 type: string 1140 selector: 1141 description: "Selector must be specified when From is 1142 set to \"Selector\". In that case, only Routes in 1143 Namespaces matching this Selector will be selected 1144 by this Gateway. This field is ignored for other values 1145 of \"From\". \n Support: Core" 1146 properties: 1147 matchExpressions: 1148 description: matchExpressions is a list of label 1149 selector requirements. The requirements are ANDed. 1150 items: 1151 description: A label selector requirement is a 1152 selector that contains values, a key, and an 1153 operator that relates the key and values. 1154 properties: 1155 key: 1156 description: key is the label key that the 1157 selector applies to. 1158 type: string 1159 operator: 1160 description: operator represents a key's relationship 1161 to a set of values. Valid operators are 1162 In, NotIn, Exists and DoesNotExist. 1163 type: string 1164 values: 1165 description: values is an array of string 1166 values. If the operator is In or NotIn, 1167 the values array must be non-empty. If the 1168 operator is Exists or DoesNotExist, the 1169 values array must be empty. This array is 1170 replaced during a strategic merge patch. 1171 items: 1172 type: string 1173 type: array 1174 required: 1175 - key 1176 - operator 1177 type: object 1178 type: array 1179 matchLabels: 1180 additionalProperties: 1181 type: string 1182 description: matchLabels is a map of {key,value} 1183 pairs. A single {key,value} in the matchLabels 1184 map is equivalent to an element of matchExpressions, 1185 whose key field is "key", the operator is "In", 1186 and the values array contains only "value". The 1187 requirements are ANDed. 1188 type: object 1189 type: object 1190 x-kubernetes-map-type: atomic 1191 type: object 1192 type: object 1193 hostname: 1194 description: "Hostname specifies the virtual hostname to match 1195 for protocol types that define this concept. When unspecified, 1196 all hostnames are matched. This field is ignored for protocols 1197 that don't require hostname based matching. \n Implementations 1198 MUST apply Hostname matching appropriately for each of the 1199 following protocols: \n * TLS: The Listener Hostname MUST 1200 match the SNI. * HTTP: The Listener Hostname MUST match the 1201 Host header of the request. * HTTPS: The Listener Hostname 1202 SHOULD match at both the TLS and HTTP protocol layers as described 1203 above. If an implementation does not ensure that both the 1204 SNI and Host header match the Listener hostname, it MUST clearly 1205 document that. \n For HTTPRoute and TLSRoute resources, there 1206 is an interaction with the `spec.hostnames` array. When both 1207 listener and route specify hostnames, there MUST be an intersection 1208 between the values for a Route to be accepted. For more information, 1209 refer to the Route specific Hostnames documentation. \n Hostnames 1210 that are prefixed with a wildcard label (`*.`) are interpreted 1211 as a suffix match. That means that a match for `*.example.com` 1212 would match both `test.example.com`, and `foo.test.example.com`, 1213 but not `example.com`. \n Support: Core" 1214 maxLength: 253 1215 minLength: 1 1216 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1217 type: string 1218 name: 1219 description: "Name is the name of the Listener. This name MUST 1220 be unique within a Gateway. \n Support: Core" 1221 maxLength: 253 1222 minLength: 1 1223 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1224 type: string 1225 port: 1226 description: "Port is the network port. Multiple listeners may 1227 use the same port, subject to the Listener compatibility rules. 1228 \n Support: Core" 1229 format: int32 1230 maximum: 65535 1231 minimum: 1 1232 type: integer 1233 protocol: 1234 description: "Protocol specifies the network protocol this listener 1235 expects to receive. \n Support: Core" 1236 maxLength: 255 1237 minLength: 1 1238 pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ 1239 type: string 1240 tls: 1241 description: "TLS is the TLS configuration for the Listener. 1242 This field is required if the Protocol field is \"HTTPS\" 1243 or \"TLS\". It is invalid to set this field if the Protocol 1244 field is \"HTTP\", \"TCP\", or \"UDP\". \n The association 1245 of SNIs to Certificate defined in GatewayTLSConfig is defined 1246 based on the Hostname field for this listener. \n The GatewayClass 1247 MUST use the longest matching SNI out of all available certificates 1248 for any TLS handshake. \n Support: Core" 1249 properties: 1250 certificateRefs: 1251 description: "CertificateRefs contains a series of references 1252 to Kubernetes objects that contains TLS certificates and 1253 private keys. These certificates are used to establish 1254 a TLS handshake for requests that match the hostname of 1255 the associated listener. \n A single CertificateRef to 1256 a Kubernetes Secret has \"Core\" support. Implementations 1257 MAY choose to support attaching multiple certificates 1258 to a Listener, but this behavior is implementation-specific. 1259 \n References to a resource in different namespace are 1260 invalid UNLESS there is a ReferenceGrant in the target 1261 namespace that allows the certificate to be attached. 1262 If a ReferenceGrant does not allow this reference, the 1263 \"ResolvedRefs\" condition MUST be set to False for this 1264 listener with the \"RefNotPermitted\" reason. \n This 1265 field is required to have at least one element when the 1266 mode is set to \"Terminate\" (default) and is optional 1267 otherwise. \n CertificateRefs can reference to standard 1268 Kubernetes resources, i.e. Secret, or implementation-specific 1269 custom resources. \n Support: Core - A single reference 1270 to a Kubernetes Secret of type kubernetes.io/tls \n Support: 1271 Implementation-specific (More than one reference or other 1272 resource types)" 1273 items: 1274 description: "SecretObjectReference identifies an API 1275 object including its namespace, defaulting to Secret. 1276 \n The API object must be valid in the cluster; the 1277 Group and Kind must be registered in the cluster for 1278 this reference to be valid. \n References to objects 1279 with invalid Group and Kind are not valid, and must 1280 be rejected by the implementation, with appropriate 1281 Conditions set on the containing object." 1282 properties: 1283 group: 1284 default: "" 1285 description: Group is the group of the referent. For 1286 example, "gateway.networking.k8s.io". When unspecified 1287 or empty string, core API group is inferred. 1288 maxLength: 253 1289 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1290 type: string 1291 kind: 1292 default: Secret 1293 description: Kind is kind of the referent. For example 1294 "Secret". 1295 maxLength: 63 1296 minLength: 1 1297 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1298 type: string 1299 name: 1300 description: Name is the name of the referent. 1301 maxLength: 253 1302 minLength: 1 1303 type: string 1304 namespace: 1305 description: "Namespace is the namespace of the referenced 1306 object. When unspecified, the local namespace is 1307 inferred. \n Note that when a namespace different 1308 than the local namespace is specified, a ReferenceGrant 1309 object is required in the referent namespace to 1310 allow that namespace's owner to accept the reference. 1311 See the ReferenceGrant documentation for details. 1312 \n Support: Core" 1313 maxLength: 63 1314 minLength: 1 1315 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1316 type: string 1317 required: 1318 - name 1319 type: object 1320 maxItems: 64 1321 type: array 1322 mode: 1323 default: Terminate 1324 description: "Mode defines the TLS behavior for the TLS 1325 session initiated by the client. There are two possible 1326 modes: \n - Terminate: The TLS session between the downstream 1327 client and the Gateway is terminated at the Gateway. This 1328 mode requires certificateRefs to be set and contain at 1329 least one element. - Passthrough: The TLS session is NOT 1330 terminated by the Gateway. This implies that the Gateway 1331 can't decipher the TLS stream except for the ClientHello 1332 message of the TLS protocol. CertificateRefs field is 1333 ignored in this mode. \n Support: Core" 1334 enum: 1335 - Terminate 1336 - Passthrough 1337 type: string 1338 options: 1339 additionalProperties: 1340 description: AnnotationValue is the value of an annotation 1341 in Gateway API. This is used for validation of maps 1342 such as TLS options. This roughly matches Kubernetes 1343 annotation validation, although the length validation 1344 in that case is based on the entire size of the annotations 1345 struct. 1346 maxLength: 4096 1347 minLength: 0 1348 type: string 1349 description: "Options are a list of key/value pairs to enable 1350 extended TLS configuration for each implementation. For 1351 example, configuring the minimum TLS version or supported 1352 cipher suites. \n A set of common keys MAY be defined 1353 by the API in the future. To avoid any ambiguity, implementation-specific 1354 definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. 1355 Un-prefixed names are reserved for key names defined by 1356 Gateway API. \n Support: Implementation-specific" 1357 maxProperties: 16 1358 type: object 1359 type: object 1360 x-kubernetes-validations: 1361 - message: certificateRefs must be specified when TLSModeType 1362 is Terminate 1363 rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) 1364 > 0 : true' 1365 required: 1366 - name 1367 - port 1368 - protocol 1369 type: object 1370 maxItems: 64 1371 minItems: 1 1372 type: array 1373 x-kubernetes-list-map-keys: 1374 - name 1375 x-kubernetes-list-type: map 1376 x-kubernetes-validations: 1377 - message: tls must be specified for protocols ['HTTPS', 'TLS'] 1378 rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls) 1379 : true)' 1380 - message: tls must not be specified for protocols ['HTTP', 'TCP', 1381 'UDP'] 1382 rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? 1383 !has(l.tls) : true)' 1384 - message: hostname must not be specified for protocols ['TCP', 'UDP'] 1385 rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) 1386 || l.hostname == '''') : true)' 1387 - message: Listener name must be unique within the Gateway 1388 rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) 1389 - message: Combination of port, protocol and hostname must be unique 1390 for each listener 1391 rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol 1392 == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname 1393 == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' 1394 required: 1395 - gatewayClassName 1396 - listeners 1397 type: object 1398 status: 1399 default: 1400 conditions: 1401 - lastTransitionTime: "1970-01-01T00:00:00Z" 1402 message: Waiting for controller 1403 reason: Pending 1404 status: Unknown 1405 type: Accepted 1406 - lastTransitionTime: "1970-01-01T00:00:00Z" 1407 message: Waiting for controller 1408 reason: Pending 1409 status: Unknown 1410 type: Programmed 1411 description: Status defines the current state of Gateway. 1412 properties: 1413 addresses: 1414 description: "Addresses lists the network addresses that have been 1415 bound to the Gateway. \n This list may differ from the addresses 1416 provided in the spec under some conditions: \n * no addresses are 1417 specified, all addresses are dynamically assigned * a combination 1418 of specified and dynamic addresses are assigned * a specified address 1419 was unusable (e.g. already in use) \n " 1420 items: 1421 description: GatewayStatusAddress describes a network address that 1422 is bound to a Gateway. 1423 oneOf: 1424 - properties: 1425 type: 1426 enum: 1427 - IPAddress 1428 value: 1429 anyOf: 1430 - format: ipv4 1431 - format: ipv6 1432 - properties: 1433 type: 1434 not: 1435 enum: 1436 - IPAddress 1437 properties: 1438 type: 1439 default: IPAddress 1440 description: Type of the address. 1441 maxLength: 253 1442 minLength: 1 1443 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ 1444 type: string 1445 value: 1446 description: "Value of the address. The validity of the values 1447 will depend on the type and support by the controller. \n 1448 Examples: `1.2.3.4`, `128::1`, `my-ip-address`." 1449 maxLength: 253 1450 minLength: 1 1451 type: string 1452 required: 1453 - value 1454 type: object 1455 x-kubernetes-validations: 1456 - message: Hostname value must only contain valid characters (matching 1457 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) 1458 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): 1459 true' 1460 maxItems: 16 1461 type: array 1462 conditions: 1463 default: 1464 - lastTransitionTime: "1970-01-01T00:00:00Z" 1465 message: Waiting for controller 1466 reason: Pending 1467 status: Unknown 1468 type: Accepted 1469 - lastTransitionTime: "1970-01-01T00:00:00Z" 1470 message: Waiting for controller 1471 reason: Pending 1472 status: Unknown 1473 type: Programmed 1474 description: "Conditions describe the current conditions of the Gateway. 1475 \n Implementations should prefer to express Gateway conditions using 1476 the `GatewayConditionType` and `GatewayConditionReason` constants 1477 so that operators and tools can converge on a common vocabulary 1478 to describe Gateway state. \n Known condition types are: \n * \"Accepted\" 1479 * \"Programmed\" * \"Ready\"" 1480 items: 1481 description: "Condition contains details for one aspect of the current 1482 state of this API Resource. --- This struct is intended for direct 1483 use as an array at the field path .status.conditions. For example, 1484 \n type FooStatus struct{ // Represents the observations of a 1485 foo's current state. // Known .status.conditions.type are: \"Available\", 1486 \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge 1487 // +listType=map // +listMapKey=type Conditions []metav1.Condition 1488 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" 1489 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" 1490 properties: 1491 lastTransitionTime: 1492 description: lastTransitionTime is the last time the condition 1493 transitioned from one status to another. This should be when 1494 the underlying condition changed. If that is not known, then 1495 using the time when the API field changed is acceptable. 1496 format: date-time 1497 type: string 1498 message: 1499 description: message is a human readable message indicating 1500 details about the transition. This may be an empty string. 1501 maxLength: 32768 1502 type: string 1503 observedGeneration: 1504 description: observedGeneration represents the .metadata.generation 1505 that the condition was set based upon. For instance, if .metadata.generation 1506 is currently 12, but the .status.conditions[x].observedGeneration 1507 is 9, the condition is out of date with respect to the current 1508 state of the instance. 1509 format: int64 1510 minimum: 0 1511 type: integer 1512 reason: 1513 description: reason contains a programmatic identifier indicating 1514 the reason for the condition's last transition. Producers 1515 of specific condition types may define expected values and 1516 meanings for this field, and whether the values are considered 1517 a guaranteed API. The value should be a CamelCase string. 1518 This field may not be empty. 1519 maxLength: 1024 1520 minLength: 1 1521 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 1522 type: string 1523 status: 1524 description: status of the condition, one of True, False, Unknown. 1525 enum: 1526 - "True" 1527 - "False" 1528 - Unknown 1529 type: string 1530 type: 1531 description: type of condition in CamelCase or in foo.example.com/CamelCase. 1532 --- Many .condition.type values are consistent across resources 1533 like Available, but because arbitrary conditions can be useful 1534 (see .node.status.conditions), the ability to deconflict is 1535 important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 1536 maxLength: 316 1537 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 1538 type: string 1539 required: 1540 - lastTransitionTime 1541 - message 1542 - reason 1543 - status 1544 - type 1545 type: object 1546 maxItems: 8 1547 type: array 1548 x-kubernetes-list-map-keys: 1549 - type 1550 x-kubernetes-list-type: map 1551 listeners: 1552 description: Listeners provide status for each unique listener port 1553 defined in the Spec. 1554 items: 1555 description: ListenerStatus is the status associated with a Listener. 1556 properties: 1557 attachedRoutes: 1558 description: "AttachedRoutes represents the total number of 1559 Routes that have been successfully attached to this Listener. 1560 \n Successful attachment of a Route to a Listener is based 1561 solely on the combination of the AllowedRoutes field on the 1562 corresponding Listener and the Route's ParentRefs field. A 1563 Route is successfully attached to a Listener when it is selected 1564 by the Listener's AllowedRoutes field AND the Route has a 1565 valid ParentRef selecting the whole Gateway resource or a 1566 specific Listener as a parent resource (more detail on attachment 1567 semantics can be found in the documentation on the various 1568 Route kinds ParentRefs fields). Listener or Route status does 1569 not impact successful attachment, i.e. the AttachedRoutes 1570 field count MUST be set for Listeners with condition Accepted: 1571 false and MUST count successfully attached Routes that may 1572 themselves have Accepted: false conditions. \n Uses for this 1573 field include troubleshooting Route attachment and measuring 1574 blast radius/impact of changes to a Listener." 1575 format: int32 1576 type: integer 1577 conditions: 1578 description: Conditions describe the current condition of this 1579 listener. 1580 items: 1581 description: "Condition contains details for one aspect of 1582 the current state of this API Resource. --- This struct 1583 is intended for direct use as an array at the field path 1584 .status.conditions. For example, \n type FooStatus struct{ 1585 // Represents the observations of a foo's current state. 1586 // Known .status.conditions.type are: \"Available\", \"Progressing\", 1587 and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge 1588 // +listType=map // +listMapKey=type Conditions []metav1.Condition 1589 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" 1590 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields 1591 }" 1592 properties: 1593 lastTransitionTime: 1594 description: lastTransitionTime is the last time the condition 1595 transitioned from one status to another. This should 1596 be when the underlying condition changed. If that is 1597 not known, then using the time when the API field changed 1598 is acceptable. 1599 format: date-time 1600 type: string 1601 message: 1602 description: message is a human readable message indicating 1603 details about the transition. This may be an empty string. 1604 maxLength: 32768 1605 type: string 1606 observedGeneration: 1607 description: observedGeneration represents the .metadata.generation 1608 that the condition was set based upon. For instance, 1609 if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration 1610 is 9, the condition is out of date with respect to the 1611 current state of the instance. 1612 format: int64 1613 minimum: 0 1614 type: integer 1615 reason: 1616 description: reason contains a programmatic identifier 1617 indicating the reason for the condition's last transition. 1618 Producers of specific condition types may define expected 1619 values and meanings for this field, and whether the 1620 values are considered a guaranteed API. The value should 1621 be a CamelCase string. This field may not be empty. 1622 maxLength: 1024 1623 minLength: 1 1624 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ 1625 type: string 1626 status: 1627 description: status of the condition, one of True, False, 1628 Unknown. 1629 enum: 1630 - "True" 1631 - "False" 1632 - Unknown 1633 type: string 1634 type: 1635 description: type of condition in CamelCase or in foo.example.com/CamelCase. 1636 --- Many .condition.type values are consistent across 1637 resources like Available, but because arbitrary conditions 1638 can be useful (see .node.status.conditions), the ability 1639 to deconflict is important. The regex it matches is 1640 (dns1123SubdomainFmt/)?(qualifiedNameFmt) 1641 maxLength: 316 1642 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ 1643 type: string 1644 required: 1645 - lastTransitionTime 1646 - message 1647 - reason 1648 - status 1649 - type 1650 type: object 1651 maxItems: 8 1652 type: array 1653 x-kubernetes-list-map-keys: 1654 - type 1655 x-kubernetes-list-type: map 1656 name: 1657 description: Name is the name of the Listener that this status 1658 corresponds to. 1659 maxLength: 253 1660 minLength: 1 1661 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1662 type: string 1663 supportedKinds: 1664 description: "SupportedKinds is the list indicating the Kinds 1665 supported by this listener. This MUST represent the kinds 1666 an implementation supports for that Listener configuration. 1667 \n If kinds are specified in Spec that are not supported, 1668 they MUST NOT appear in this list and an implementation MUST 1669 set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" 1670 reason. If both valid and invalid Route kinds are specified, 1671 the implementation MUST reference the valid Route kinds that 1672 have been specified." 1673 items: 1674 description: RouteGroupKind indicates the group and kind of 1675 a Route resource. 1676 properties: 1677 group: 1678 default: gateway.networking.k8s.io 1679 description: Group is the group of the Route. 1680 maxLength: 253 1681 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1682 type: string 1683 kind: 1684 description: Kind is the kind of the Route. 1685 maxLength: 63 1686 minLength: 1 1687 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1688 type: string 1689 required: 1690 - kind 1691 type: object 1692 maxItems: 8 1693 type: array 1694 required: 1695 - attachedRoutes 1696 - conditions 1697 - name 1698 - supportedKinds 1699 type: object 1700 maxItems: 64 1701 type: array 1702 x-kubernetes-list-map-keys: 1703 - name 1704 x-kubernetes-list-type: map 1705 type: object 1706 required: 1707 - spec 1708 type: object 1709 served: true 1710 storage: true 1711 subresources: 1712 status: {} 1713 status: 1714 acceptedNames: 1715 kind: "" 1716 plural: "" 1717 conditions: null 1718 storedVersions: null