1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
6 gateway.networking.k8s.io/bundle-version: v1.0.0
7 gateway.networking.k8s.io/channel: experimental
8 creationTimestamp: null
9 labels:
10 gateway.networking.k8s.io/policy: Direct
11 name: backendtlspolicies.gateway.networking.k8s.io
12spec:
13 group: gateway.networking.k8s.io
14 names:
15 categories:
16 - gateway-api
17 kind: BackendTLSPolicy
18 listKind: BackendTLSPolicyList
19 plural: backendtlspolicies
20 shortNames:
21 - btlspolicy
22 singular: backendtlspolicy
23 scope: Namespaced
24 versions:
25 - additionalPrinterColumns:
26 - jsonPath: .metadata.creationTimestamp
27 name: Age
28 type: date
29 name: v1alpha2
30 schema:
31 openAPIV3Schema:
32 description: BackendTLSPolicy provides a way to configure how a Gateway connects
33 to a Backend via TLS.
34 properties:
35 apiVersion:
36 description: 'APIVersion defines the versioned schema of this representation
37 of an object. Servers should convert recognized schemas to the latest
38 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
39 type: string
40 kind:
41 description: 'Kind is a string value representing the REST resource this
42 object represents. Servers may infer this from the endpoint the client
43 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
44 type: string
45 metadata:
46 type: object
47 spec:
48 description: Spec defines the desired state of BackendTLSPolicy.
49 properties:
50 targetRef:
51 description: "TargetRef identifies an API object to apply the policy
52 to. Only Services have Extended support. Implementations MAY support
53 additional objects, with Implementation Specific support. Note that
54 this config applies to the entire referenced resource by default,
55 but this default may change in the future to provide a more granular
56 application of the policy. \n Support: Extended for Kubernetes Service
57 \n Support: Implementation-specific for any other resource"
58 properties:
59 group:
60 description: Group is the group of the target resource.
61 maxLength: 253
62 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
63 type: string
64 kind:
65 description: Kind is kind of the target resource.
66 maxLength: 63
67 minLength: 1
68 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
69 type: string
70 name:
71 description: Name is the name of the target resource.
72 maxLength: 253
73 minLength: 1
74 type: string
75 namespace:
76 description: Namespace is the namespace of the referent. When
77 unspecified, the local namespace is inferred. Even when policy
78 targets a resource in a different namespace, it MUST only apply
79 to traffic originating from the same namespace as the policy.
80 maxLength: 63
81 minLength: 1
82 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
83 type: string
84 sectionName:
85 description: "SectionName is the name of a section within the
86 target resource. When unspecified, this targetRef targets the
87 entire resource. In the following resources, SectionName is
88 interpreted as the following: \n * Gateway: Listener Name *
89 Service: Port Name \n If a SectionName is specified, but does
90 not exist on the targeted object, the Policy must fail to attach,
91 and the policy implementation should record a `ResolvedRefs`
92 or similar Condition in the Policy's status."
93 maxLength: 253
94 minLength: 1
95 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
96 type: string
97 required:
98 - group
99 - kind
100 - name
101 type: object
102 tls:
103 description: TLS contains backend TLS policy configuration.
104 properties:
105 caCertRefs:
106 description: "CACertRefs contains one or more references to Kubernetes
107 objects that contain a PEM-encoded TLS CA certificate bundle,
108 which is used to validate a TLS handshake between the Gateway
109 and backend Pod. \n If CACertRefs is empty or unspecified, then
110 WellKnownCACerts must be specified. Only one of CACertRefs or
111 WellKnownCACerts may be specified, not both. If CACertRefs is
112 empty or unspecified, the configuration for WellKnownCACerts
113 MUST be honored instead. \n References to a resource in a different
114 namespace are invalid for the moment, although we will revisit
115 this in the future. \n A single CACertRef to a Kubernetes ConfigMap
116 kind has \"Core\" support. Implementations MAY choose to support
117 attaching multiple certificates to a backend, but this behavior
118 is implementation-specific. \n Support: Core - An optional single
119 reference to a Kubernetes ConfigMap, with the CA certificate
120 in a key named `ca.crt`. \n Support: Implementation-specific
121 (More than one reference, or other kinds of resources)."
122 items:
123 description: "LocalObjectReference identifies an API object
124 within the namespace of the referrer. The API object must
125 be valid in the cluster; the Group and Kind must be registered
126 in the cluster for this reference to be valid. \n References
127 to objects with invalid Group and Kind are not valid, and
128 must be rejected by the implementation, with appropriate Conditions
129 set on the containing object."
130 properties:
131 group:
132 description: Group is the group of the referent. For example,
133 "gateway.networking.k8s.io". When unspecified or empty
134 string, core API group is inferred.
135 maxLength: 253
136 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
137 type: string
138 kind:
139 description: Kind is kind of the referent. For example "HTTPRoute"
140 or "Service".
141 maxLength: 63
142 minLength: 1
143 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
144 type: string
145 name:
146 description: Name is the name of the referent.
147 maxLength: 253
148 minLength: 1
149 type: string
150 required:
151 - group
152 - kind
153 - name
154 type: object
155 maxItems: 8
156 type: array
157 hostname:
158 description: "Hostname is used for two purposes in the connection
159 between Gateways and backends: \n 1. Hostname MUST be used as
160 the SNI to connect to the backend (RFC 6066). 2. Hostname MUST
161 be used for authentication and MUST match the certificate served
162 by the matching backend. \n Support: Core"
163 maxLength: 253
164 minLength: 1
165 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
166 type: string
167 wellKnownCACerts:
168 description: "WellKnownCACerts specifies whether system CA certificates
169 may be used in the TLS handshake between the gateway and backend
170 pod. \n If WellKnownCACerts is unspecified or empty (\"\"),
171 then CACertRefs must be specified with at least one entry for
172 a valid configuration. Only one of CACertRefs or WellKnownCACerts
173 may be specified, not both. \n Support: Core for \"System\""
174 enum:
175 - System
176 type: string
177 required:
178 - hostname
179 type: object
180 x-kubernetes-validations:
181 - message: must not contain both CACertRefs and WellKnownCACerts
182 rule: '!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts)
183 && self.wellKnownCACerts != "")'
184 - message: must specify either CACertRefs or WellKnownCACerts
185 rule: (has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts)
186 && self.wellKnownCACerts != "")
187 required:
188 - targetRef
189 - tls
190 type: object
191 status:
192 description: Status defines the current state of BackendTLSPolicy.
193 properties:
194 ancestors:
195 description: "Ancestors is a list of ancestor resources (usually Gateways)
196 that are associated with the policy, and the status of the policy
197 with respect to each ancestor. When this policy attaches to a parent,
198 the controller that manages the parent and the ancestors MUST add
199 an entry to this list when the controller first sees the policy
200 and SHOULD update the entry as appropriate when the relevant ancestor
201 is modified. \n Note that choosing the relevant ancestor is left
202 to the Policy designers; an important part of Policy design is designing
203 the right object level at which to namespace this status. \n Note
204 also that implementations MUST ONLY populate ancestor status for
205 the Ancestor resources they are responsible for. Implementations
206 MUST use the ControllerName field to uniquely identify the entries
207 in this list that they are responsible for. \n Note that to achieve
208 this, the list of PolicyAncestorStatus structs MUST be treated as
209 a map with a composite key, made up of the AncestorRef and ControllerName
210 fields combined. \n A maximum of 16 ancestors will be represented
211 in this list. An empty list means the Policy is not relevant for
212 any ancestors. \n If this slice is full, implementations MUST NOT
213 add further entries. Instead they MUST consider the policy unimplementable
214 and signal that on any related resources such as the ancestor that
215 would be referenced here. For example, if this list was full on
216 BackendTLSPolicy, no additional Gateways would be able to reference
217 the Service targeted by the BackendTLSPolicy."
218 items:
219 description: "PolicyAncestorStatus describes the status of a route
220 with respect to an associated Ancestor. \n Ancestors refer to
221 objects that are either the Target of a policy or above it in
222 terms of object hierarchy. For example, if a policy targets a
223 Service, the Policy's Ancestors are, in order, the Service, the
224 HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
225 this hierarchy, the Gateway will be the most useful object to
226 place Policy status on, so we recommend that implementations SHOULD
227 use Gateway as the PolicyAncestorStatus object unless the designers
228 have a _very_ good reason otherwise. \n In the context of policy
229 attachment, the Ancestor is used to distinguish which resource
230 results in a distinct application of this policy. For example,
231 if a policy targets a Service, it may have a distinct result per
232 attached Gateway. \n Policies targeting the same resource may
233 have different effects depending on the ancestors of those resources.
234 For example, different Gateways targeting the same Service may
235 have different capabilities, especially if they have different
236 underlying implementations. \n For example, in BackendTLSPolicy,
237 the Policy attaches to a Service that is used as a backend in
238 a HTTPRoute that is itself attached to a Gateway. In this case,
239 the relevant object for status is the Gateway, and that is the
240 ancestor object referred to in this status. \n Note that a parent
241 is also an ancestor, so for objects where the parent is the relevant
242 object for status, this struct SHOULD still be used. \n This struct
243 is intended to be used in a slice that's effectively a map, with
244 a composite key made up of the AncestorRef and the ControllerName."
245 properties:
246 ancestorRef:
247 description: AncestorRef corresponds with a ParentRef in the
248 spec that this PolicyAncestorStatus struct describes the status
249 of.
250 properties:
251 group:
252 default: gateway.networking.k8s.io
253 description: "Group is the group of the referent. When unspecified,
254 \"gateway.networking.k8s.io\" is inferred. To set the
255 core API group (such as for a \"Service\" kind referent),
256 Group must be explicitly set to \"\" (empty string). \n
257 Support: Core"
258 maxLength: 253
259 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
260 type: string
261 kind:
262 default: Gateway
263 description: "Kind is kind of the referent. \n There are
264 two kinds of parent resources with \"Core\" support: \n
265 * Gateway (Gateway conformance profile) * Service (Mesh
266 conformance profile, experimental, ClusterIP Services
267 only) \n Support for other resources is Implementation-Specific."
268 maxLength: 63
269 minLength: 1
270 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
271 type: string
272 name:
273 description: "Name is the name of the referent. \n Support:
274 Core"
275 maxLength: 253
276 minLength: 1
277 type: string
278 namespace:
279 description: "Namespace is the namespace of the referent.
280 When unspecified, this refers to the local namespace of
281 the Route. \n Note that there are specific rules for ParentRefs
282 which cross namespace boundaries. Cross-namespace references
283 are only valid if they are explicitly allowed by something
284 in the namespace they are referring to. For example: Gateway
285 has the AllowedRoutes field, and ReferenceGrant provides
286 a generic way to enable any other kind of cross-namespace
287 reference. \n ParentRefs from a Route to a Service in
288 the same namespace are \"producer\" routes, which apply
289 default routing rules to inbound connections from any
290 namespace to the Service. \n ParentRefs from a Route to
291 a Service in a different namespace are \"consumer\" routes,
292 and these routing rules are only applied to outbound connections
293 originating from the same namespace as the Route, for
294 which the intended destination of the connections are
295 a Service targeted as a ParentRef of the Route. \n Support:
296 Core"
297 maxLength: 63
298 minLength: 1
299 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
300 type: string
301 port:
302 description: "Port is the network port this Route targets.
303 It can be interpreted differently based on the type of
304 parent resource. \n When the parent resource is a Gateway,
305 this targets all listeners listening on the specified
306 port that also support this kind of Route(and select this
307 Route). It's not recommended to set `Port` unless the
308 networking behaviors specified in a Route must apply to
309 a specific port as opposed to a listener(s) whose port(s)
310 may be changed. When both Port and SectionName are specified,
311 the name and port of the selected listener must match
312 both specified values. \n When the parent resource is
313 a Service, this targets a specific port in the Service
314 spec. When both Port (experimental) and SectionName are
315 specified, the name and port of the selected port must
316 match both specified values. \n Implementations MAY choose
317 to support other parent resources. Implementations supporting
318 other types of parent resources MUST clearly document
319 how/if Port is interpreted. \n For the purpose of status,
320 an attachment is considered successful as long as the
321 parent resource accepts it partially. For example, Gateway
322 listeners can restrict which Routes can attach to them
323 by Route kind, namespace, or hostname. If 1 of 2 Gateway
324 listeners accept attachment from the referencing Route,
325 the Route MUST be considered successfully attached. If
326 no Gateway listeners accept attachment from this Route,
327 the Route MUST be considered detached from the Gateway.
328 \n Support: Extended \n "
329 format: int32
330 maximum: 65535
331 minimum: 1
332 type: integer
333 sectionName:
334 description: "SectionName is the name of a section within
335 the target resource. In the following resources, SectionName
336 is interpreted as the following: \n * Gateway: Listener
337 Name. When both Port (experimental) and SectionName are
338 specified, the name and port of the selected listener
339 must match both specified values. * Service: Port Name.
340 When both Port (experimental) and SectionName are specified,
341 the name and port of the selected listener must match
342 both specified values. Note that attaching Routes to Services
343 as Parents is part of experimental Mesh support and is
344 not supported for any other purpose. \n Implementations
345 MAY choose to support attaching Routes to other resources.
346 If that is the case, they MUST clearly document how SectionName
347 is interpreted. \n When unspecified (empty string), this
348 will reference the entire resource. For the purpose of
349 status, an attachment is considered successful if at least
350 one section in the parent resource accepts it. For example,
351 Gateway listeners can restrict which Routes can attach
352 to them by Route kind, namespace, or hostname. If 1 of
353 2 Gateway listeners accept attachment from the referencing
354 Route, the Route MUST be considered successfully attached.
355 If no Gateway listeners accept attachment from this Route,
356 the Route MUST be considered detached from the Gateway.
357 \n Support: Core"
358 maxLength: 253
359 minLength: 1
360 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
361 type: string
362 required:
363 - name
364 type: object
365 conditions:
366 description: Conditions describes the status of the Policy with
367 respect to the given Ancestor.
368 items:
369 description: "Condition contains details for one aspect of
370 the current state of this API Resource. --- This struct
371 is intended for direct use as an array at the field path
372 .status.conditions. For example, \n type FooStatus struct{
373 // Represents the observations of a foo's current state.
374 // Known .status.conditions.type are: \"Available\", \"Progressing\",
375 and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
376 // +listType=map // +listMapKey=type Conditions []metav1.Condition
377 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
378 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
379 }"
380 properties:
381 lastTransitionTime:
382 description: lastTransitionTime is the last time the condition
383 transitioned from one status to another. This should
384 be when the underlying condition changed. If that is
385 not known, then using the time when the API field changed
386 is acceptable.
387 format: date-time
388 type: string
389 message:
390 description: message is a human readable message indicating
391 details about the transition. This may be an empty string.
392 maxLength: 32768
393 type: string
394 observedGeneration:
395 description: observedGeneration represents the .metadata.generation
396 that the condition was set based upon. For instance,
397 if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
398 is 9, the condition is out of date with respect to the
399 current state of the instance.
400 format: int64
401 minimum: 0
402 type: integer
403 reason:
404 description: reason contains a programmatic identifier
405 indicating the reason for the condition's last transition.
406 Producers of specific condition types may define expected
407 values and meanings for this field, and whether the
408 values are considered a guaranteed API. The value should
409 be a CamelCase string. This field may not be empty.
410 maxLength: 1024
411 minLength: 1
412 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
413 type: string
414 status:
415 description: status of the condition, one of True, False,
416 Unknown.
417 enum:
418 - "True"
419 - "False"
420 - Unknown
421 type: string
422 type:
423 description: type of condition in CamelCase or in foo.example.com/CamelCase.
424 --- Many .condition.type values are consistent across
425 resources like Available, but because arbitrary conditions
426 can be useful (see .node.status.conditions), the ability
427 to deconflict is important. The regex it matches is
428 (dns1123SubdomainFmt/)?(qualifiedNameFmt)
429 maxLength: 316
430 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
431 type: string
432 required:
433 - lastTransitionTime
434 - message
435 - reason
436 - status
437 - type
438 type: object
439 maxItems: 8
440 minItems: 1
441 type: array
442 x-kubernetes-list-map-keys:
443 - type
444 x-kubernetes-list-type: map
445 controllerName:
446 description: "ControllerName is a domain/path string that indicates
447 the name of the controller that wrote this status. This corresponds
448 with the controllerName field on GatewayClass. \n Example:
449 \"example.net/gateway-controller\". \n The format of this
450 field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
451 Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
452 \n Controllers MUST populate this field when writing status.
453 Controllers should ensure that entries to status populated
454 with their ControllerName are cleaned up when they are no
455 longer necessary."
456 maxLength: 253
457 minLength: 1
458 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
459 type: string
460 required:
461 - ancestorRef
462 - controllerName
463 type: object
464 maxItems: 16
465 type: array
466 required:
467 - ancestors
468 type: object
469 required:
470 - spec
471 type: object
472 served: true
473 storage: true
474 subresources:
475 status: {}
476status:
477 acceptedNames:
478 kind: ""
479 plural: ""
480 conditions: null
481 storedVersions: null
View as plain text