1 /* 2 Copyright 2020 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha2 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // +genclient 24 // +kubebuilder:object:root=true 25 // +kubebuilder:resource:categories=gateway-api 26 // +kubebuilder:subresource:status 27 // +kubebuilder:storageversion 28 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` 29 30 // The TLSRoute resource is similar to TCPRoute, but can be configured 31 // to match against TLS-specific metadata. This allows more flexibility 32 // in matching streams for a given TLS listener. 33 // 34 // If you need to forward traffic to a single target for a TLS listener, you 35 // could choose to use a TCPRoute with a TLS listener. 36 type TLSRoute struct { 37 metav1.TypeMeta `json:",inline"` 38 metav1.ObjectMeta `json:"metadata,omitempty"` 39 40 // Spec defines the desired state of TLSRoute. 41 Spec TLSRouteSpec `json:"spec"` 42 43 // Status defines the current state of TLSRoute. 44 Status TLSRouteStatus `json:"status,omitempty"` 45 } 46 47 // TLSRouteSpec defines the desired state of a TLSRoute resource. 48 type TLSRouteSpec struct { 49 CommonRouteSpec `json:",inline"` 50 51 // Hostnames defines a set of SNI names that should match against the 52 // SNI attribute of TLS ClientHello message in TLS handshake. This matches 53 // the RFC 1123 definition of a hostname with 2 notable exceptions: 54 // 55 // 1. IPs are not allowed in SNI names per RFC 6066. 56 // 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 57 // label must appear by itself as the first label. 58 // 59 // If a hostname is specified by both the Listener and TLSRoute, there 60 // must be at least one intersecting hostname for the TLSRoute to be 61 // attached to the Listener. For example: 62 // 63 // * A Listener with `test.example.com` as the hostname matches TLSRoutes 64 // that have either not specified any hostnames, or have specified at 65 // least one of `test.example.com` or `*.example.com`. 66 // * A Listener with `*.example.com` as the hostname matches TLSRoutes 67 // that have either not specified any hostnames or have specified at least 68 // one hostname that matches the Listener hostname. For example, 69 // `test.example.com` and `*.example.com` would both match. On the other 70 // hand, `example.com` and `test.example.net` would not match. 71 // 72 // If both the Listener and TLSRoute have specified hostnames, any 73 // TLSRoute hostnames that do not match the Listener hostname MUST be 74 // ignored. For example, if a Listener specified `*.example.com`, and the 75 // TLSRoute specified `test.example.com` and `test.example.net`, 76 // `test.example.net` must not be considered for a match. 77 // 78 // If both the Listener and TLSRoute have specified hostnames, and none 79 // match with the criteria above, then the TLSRoute is not accepted. The 80 // implementation must raise an 'Accepted' Condition with a status of 81 // `False` in the corresponding RouteParentStatus. 82 // 83 // Support: Core 84 // 85 // +optional 86 // +kubebuilder:validation:MaxItems=16 87 Hostnames []Hostname `json:"hostnames,omitempty"` 88 89 // Rules are a list of TLS matchers and actions. 90 // 91 // +kubebuilder:validation:MinItems=1 92 // +kubebuilder:validation:MaxItems=16 93 Rules []TLSRouteRule `json:"rules"` 94 } 95 96 // TLSRouteStatus defines the observed state of TLSRoute 97 type TLSRouteStatus struct { 98 RouteStatus `json:",inline"` 99 } 100 101 // TLSRouteRule is the configuration for a given rule. 102 type TLSRouteRule struct { 103 // BackendRefs defines the backend(s) where matching requests should be 104 // sent. If unspecified or invalid (refers to a non-existent resource or 105 // a Service with no endpoints), the rule performs no forwarding; if no 106 // filters are specified that would result in a response being sent, the 107 // underlying implementation must actively reject request attempts to this 108 // backend, by rejecting the connection or returning a 500 status code. 109 // Request rejections must respect weight; if an invalid backend is 110 // requested to have 80% of requests, then 80% of requests must be rejected 111 // instead. 112 // 113 // Support: Core for Kubernetes Service 114 // 115 // Support: Extended for Kubernetes ServiceImport 116 // 117 // Support: Implementation-specific for any other resource 118 // 119 // Support for weight: Extended 120 // 121 // +kubebuilder:validation:MinItems=1 122 // +kubebuilder:validation:MaxItems=16 123 BackendRefs []BackendRef `json:"backendRefs,omitempty"` 124 } 125 126 // +kubebuilder:object:root=true 127 128 // TLSRouteList contains a list of TLSRoute 129 type TLSRouteList struct { 130 metav1.TypeMeta `json:",inline"` 131 metav1.ListMeta `json:"metadata,omitempty"` 132 Items []TLSRoute `json:"items"` 133 } 134