1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
6 gateway.networking.k8s.io/bundle-version: v1.0.0
7 gateway.networking.k8s.io/channel: standard
8 creationTimestamp: null
9 name: gateways.gateway.networking.k8s.io
10spec:
11 group: gateway.networking.k8s.io
12 names:
13 categories:
14 - gateway-api
15 kind: Gateway
16 listKind: GatewayList
17 plural: gateways
18 shortNames:
19 - gtw
20 singular: gateway
21 scope: Namespaced
22 versions:
23 - additionalPrinterColumns:
24 - jsonPath: .spec.gatewayClassName
25 name: Class
26 type: string
27 - jsonPath: .status.addresses[*].value
28 name: Address
29 type: string
30 - jsonPath: .status.conditions[?(@.type=="Programmed")].status
31 name: Programmed
32 type: string
33 - jsonPath: .metadata.creationTimestamp
34 name: Age
35 type: date
36 name: v1
37 schema:
38 openAPIV3Schema:
39 description: Gateway represents an instance of a service-traffic handling
40 infrastructure by binding Listeners to a set of IP addresses.
41 properties:
42 apiVersion:
43 description: 'APIVersion defines the versioned schema of this representation
44 of an object. Servers should convert recognized schemas to the latest
45 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
46 type: string
47 kind:
48 description: 'Kind is a string value representing the REST resource this
49 object represents. Servers may infer this from the endpoint the client
50 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
51 type: string
52 metadata:
53 type: object
54 spec:
55 description: Spec defines the desired state of Gateway.
56 properties:
57 addresses:
58 description: "Addresses requested for this Gateway. This is optional
59 and behavior can depend on the implementation. If a value is set
60 in the spec and the requested address is invalid or unavailable,
61 the implementation MUST indicate this in the associated entry in
62 GatewayStatus.Addresses. \n The Addresses field represents a request
63 for the address(es) on the \"outside of the Gateway\", that traffic
64 bound for this Gateway will use. This could be the IP address or
65 hostname of an external load balancer or other networking infrastructure,
66 or some other address that traffic will be sent to. \n If no Addresses
67 are specified, the implementation MAY schedule the Gateway in an
68 implementation-specific manner, assigning an appropriate set of
69 Addresses. \n The implementation MUST bind all Listeners to every
70 GatewayAddress that it assigns to the Gateway and add a corresponding
71 entry in GatewayStatus.Addresses. \n Support: Extended \n "
72 items:
73 description: GatewayAddress describes an address that can be bound
74 to a Gateway.
75 oneOf:
76 - properties:
77 type:
78 enum:
79 - IPAddress
80 value:
81 anyOf:
82 - format: ipv4
83 - format: ipv6
84 - properties:
85 type:
86 not:
87 enum:
88 - IPAddress
89 properties:
90 type:
91 default: IPAddress
92 description: Type of the address.
93 maxLength: 253
94 minLength: 1
95 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
96 type: string
97 value:
98 description: "Value of the address. The validity of the values
99 will depend on the type and support by the controller. \n
100 Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
101 maxLength: 253
102 minLength: 1
103 type: string
104 required:
105 - value
106 type: object
107 x-kubernetes-validations:
108 - message: Hostname value must only contain valid characters (matching
109 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
110 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
111 true'
112 maxItems: 16
113 type: array
114 x-kubernetes-validations:
115 - message: IPAddress values must be unique
116 rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
117 a2.type == a1.type && a2.value == a1.value) : true )'
118 - message: Hostname values must be unique
119 rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
120 a2.type == a1.type && a2.value == a1.value) : true )'
121 gatewayClassName:
122 description: GatewayClassName used for this Gateway. This is the name
123 of a GatewayClass resource.
124 maxLength: 253
125 minLength: 1
126 type: string
127 listeners:
128 description: "Listeners associated with this Gateway. Listeners define
129 logical endpoints that are bound on this Gateway's addresses. At
130 least one Listener MUST be specified. \n Each Listener in a set
131 of Listeners (for example, in a single Gateway) MUST be _distinct_,
132 in that a traffic flow MUST be able to be assigned to exactly one
133 listener. (This section uses \"set of Listeners\" rather than \"Listeners
134 in a single Gateway\" because implementations MAY merge configuration
135 from multiple Gateways onto a single data plane, and these rules
136 _also_ apply in that case). \n Practically, this means that each
137 listener in a set MUST have a unique combination of Port, Protocol,
138 and, if supported by the protocol, Hostname. \n Some combinations
139 of port, protocol, and TLS settings are considered Core support
140 and MUST be supported by implementations based on their targeted
141 conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
142 Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
143 Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
144 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
145 have the following property: \n The implementation can match inbound
146 requests to a single distinct Listener. When multiple Listeners
147 share values for fields (for example, two Listeners with the same
148 Port value), the implementation can match requests to only one of
149 the Listeners using other Listener fields. \n For example, the following
150 Listener scenarios are distinct: \n 1. Multiple Listeners with the
151 same Port that all use the \"HTTP\" Protocol that all have unique
152 Hostname values. 2. Multiple Listeners with the same Port that use
153 either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
154 values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
155 where no Listener with the same Protocol has the same Port value.
156 \n Some fields in the Listener struct have possible values that
157 affect whether the Listener is distinct. Hostname is particularly
158 relevant for HTTP or HTTPS protocols. \n When using the Hostname
159 value to select between same-Port, same-Protocol Listeners, the
160 Hostname value must be different on each Listener for the Listener
161 to be distinct. \n When the Listeners are distinct based on Hostname,
162 inbound request hostnames MUST match from the most specific to least
163 specific Hostname values to choose the correct Listener and its
164 associated set of Routes. \n Exact matches must be processed before
165 wildcard matches, and wildcard matches must be processed before
166 fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
167 takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
168 takes precedence over `\"\"`. \n Additionally, if there are multiple
169 wildcard entries, more specific wildcard entries must be processed
170 before less specific wildcard entries. For example, `\"*.foo.example.com\"`
171 takes precedence over `\"*.example.com\"`. The precise definition
172 here is that the higher the number of dots in the hostname to the
173 right of the wildcard character, the higher the precedence. \n The
174 wildcard character will match any number of characters _and dots_
175 to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
176 _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
177 that are not distinct, then those Listeners are Conflicted, and
178 the implementation MUST set the \"Conflicted\" condition in the
179 Listener Status to \"True\". \n Implementations MAY choose to accept
180 a Gateway with some Conflicted Listeners only if they only accept
181 the partial Listener set that contains no Conflicted Listeners.
182 To put this another way, implementations may accept a partial Listener
183 set only if they throw out *all* the conflicting Listeners. No picking
184 one of the conflicting listeners as the winner. This also means
185 that the Gateway must have at least one non-conflicting Listener
186 in this case, otherwise it violates the requirement that at least
187 one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
188 condition on the Gateway Status when the Gateway contains Conflicted
189 Listeners whether or not they accept the Gateway. That Condition
190 SHOULD clearly indicate in the Message which Listeners are conflicted,
191 and which are Accepted. Additionally, the Listener status for those
192 listeners SHOULD indicate which Listeners are conflicted and not
193 Accepted. \n A Gateway's Listeners are considered \"compatible\"
194 if: \n 1. They are distinct. 2. The implementation can serve them
195 in compliance with the Addresses requirement that all Listeners
196 are available on all assigned addresses. \n Compatible combinations
197 in Extended support are expected to vary across implementations.
198 A combination that is compatible for one implementation may not
199 be compatible for another. \n For example, an implementation that
200 cannot serve both TCP and UDP listeners on the same address, or
201 cannot mix HTTPS and generic TLS listens on the same port would
202 not consider those cases compatible, even though they are distinct.
203 \n Note that requests SHOULD match at most one Listener. For example,
204 if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
205 a request to \"foo.example.com\" SHOULD only be routed using routes
206 attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
207 Listener). This concept is known as \"Listener Isolation\". Implementations
208 that do not support Listener Isolation MUST clearly document this.
209 \n Implementations MAY merge separate Gateways onto a single set
210 of Addresses if all Listeners across all Gateways are compatible.
211 \n Support: Core"
212 items:
213 description: Listener embodies the concept of a logical endpoint
214 where a Gateway accepts network connections.
215 properties:
216 allowedRoutes:
217 default:
218 namespaces:
219 from: Same
220 description: "AllowedRoutes defines the types of routes that
221 MAY be attached to a Listener and the trusted namespaces where
222 those Route resources MAY be present. \n Although a client
223 request may match multiple route rules, only one rule may
224 ultimately receive the request. Matching precedence MUST be
225 determined in order of the following criteria: \n * The most
226 specific match as defined by the Route type. * The oldest
227 Route based on creation timestamp. For example, a Route with
228 a creation timestamp of \"2020-09-08 01:02:03\" is given precedence
229 over a Route with a creation timestamp of \"2020-09-08 01:02:04\".
230 * If everything else is equivalent, the Route appearing first
231 in alphabetical order (namespace/name) should be given precedence.
232 For example, foo/bar is given precedence over foo/baz. \n
233 All valid rules within a Route attached to this Listener should
234 be implemented. Invalid Route rules can be ignored (sometimes
235 that will mean the full Route). If a Route rule transitions
236 from valid to invalid, support for that Route rule should
237 be dropped to ensure consistency. For example, even if a filter
238 specified by a Route rule is invalid, the rest of the rules
239 within that Route should still be supported. \n Support: Core"
240 properties:
241 kinds:
242 description: "Kinds specifies the groups and kinds of Routes
243 that are allowed to bind to this Gateway Listener. When
244 unspecified or empty, the kinds of Routes selected are
245 determined using the Listener protocol. \n A RouteGroupKind
246 MUST correspond to kinds of Routes that are compatible
247 with the application protocol specified in the Listener's
248 Protocol field. If an implementation does not support
249 or recognize this resource type, it MUST set the \"ResolvedRefs\"
250 condition to False for this Listener with the \"InvalidRouteKinds\"
251 reason. \n Support: Core"
252 items:
253 description: RouteGroupKind indicates the group and kind
254 of a Route resource.
255 properties:
256 group:
257 default: gateway.networking.k8s.io
258 description: Group is the group of the Route.
259 maxLength: 253
260 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
261 type: string
262 kind:
263 description: Kind is the kind of the Route.
264 maxLength: 63
265 minLength: 1
266 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
267 type: string
268 required:
269 - kind
270 type: object
271 maxItems: 8
272 type: array
273 namespaces:
274 default:
275 from: Same
276 description: "Namespaces indicates namespaces from which
277 Routes may be attached to this Listener. This is restricted
278 to the namespace of this Gateway by default. \n Support:
279 Core"
280 properties:
281 from:
282 default: Same
283 description: "From indicates where Routes will be selected
284 for this Gateway. Possible values are: \n * All: Routes
285 in all namespaces may be used by this Gateway. * Selector:
286 Routes in namespaces selected by the selector may
287 be used by this Gateway. * Same: Only Routes in the
288 same namespace may be used by this Gateway. \n Support:
289 Core"
290 enum:
291 - All
292 - Selector
293 - Same
294 type: string
295 selector:
296 description: "Selector must be specified when From is
297 set to \"Selector\". In that case, only Routes in
298 Namespaces matching this Selector will be selected
299 by this Gateway. This field is ignored for other values
300 of \"From\". \n Support: Core"
301 properties:
302 matchExpressions:
303 description: matchExpressions is a list of label
304 selector requirements. The requirements are ANDed.
305 items:
306 description: A label selector requirement is a
307 selector that contains values, a key, and an
308 operator that relates the key and values.
309 properties:
310 key:
311 description: key is the label key that the
312 selector applies to.
313 type: string
314 operator:
315 description: operator represents a key's relationship
316 to a set of values. Valid operators are
317 In, NotIn, Exists and DoesNotExist.
318 type: string
319 values:
320 description: values is an array of string
321 values. If the operator is In or NotIn,
322 the values array must be non-empty. If the
323 operator is Exists or DoesNotExist, the
324 values array must be empty. This array is
325 replaced during a strategic merge patch.
326 items:
327 type: string
328 type: array
329 required:
330 - key
331 - operator
332 type: object
333 type: array
334 matchLabels:
335 additionalProperties:
336 type: string
337 description: matchLabels is a map of {key,value}
338 pairs. A single {key,value} in the matchLabels
339 map is equivalent to an element of matchExpressions,
340 whose key field is "key", the operator is "In",
341 and the values array contains only "value". The
342 requirements are ANDed.
343 type: object
344 type: object
345 x-kubernetes-map-type: atomic
346 type: object
347 type: object
348 hostname:
349 description: "Hostname specifies the virtual hostname to match
350 for protocol types that define this concept. When unspecified,
351 all hostnames are matched. This field is ignored for protocols
352 that don't require hostname based matching. \n Implementations
353 MUST apply Hostname matching appropriately for each of the
354 following protocols: \n * TLS: The Listener Hostname MUST
355 match the SNI. * HTTP: The Listener Hostname MUST match the
356 Host header of the request. * HTTPS: The Listener Hostname
357 SHOULD match at both the TLS and HTTP protocol layers as described
358 above. If an implementation does not ensure that both the
359 SNI and Host header match the Listener hostname, it MUST clearly
360 document that. \n For HTTPRoute and TLSRoute resources, there
361 is an interaction with the `spec.hostnames` array. When both
362 listener and route specify hostnames, there MUST be an intersection
363 between the values for a Route to be accepted. For more information,
364 refer to the Route specific Hostnames documentation. \n Hostnames
365 that are prefixed with a wildcard label (`*.`) are interpreted
366 as a suffix match. That means that a match for `*.example.com`
367 would match both `test.example.com`, and `foo.test.example.com`,
368 but not `example.com`. \n Support: Core"
369 maxLength: 253
370 minLength: 1
371 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
372 type: string
373 name:
374 description: "Name is the name of the Listener. This name MUST
375 be unique within a Gateway. \n Support: Core"
376 maxLength: 253
377 minLength: 1
378 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
379 type: string
380 port:
381 description: "Port is the network port. Multiple listeners may
382 use the same port, subject to the Listener compatibility rules.
383 \n Support: Core"
384 format: int32
385 maximum: 65535
386 minimum: 1
387 type: integer
388 protocol:
389 description: "Protocol specifies the network protocol this listener
390 expects to receive. \n Support: Core"
391 maxLength: 255
392 minLength: 1
393 pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
394 type: string
395 tls:
396 description: "TLS is the TLS configuration for the Listener.
397 This field is required if the Protocol field is \"HTTPS\"
398 or \"TLS\". It is invalid to set this field if the Protocol
399 field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
400 of SNIs to Certificate defined in GatewayTLSConfig is defined
401 based on the Hostname field for this listener. \n The GatewayClass
402 MUST use the longest matching SNI out of all available certificates
403 for any TLS handshake. \n Support: Core"
404 properties:
405 certificateRefs:
406 description: "CertificateRefs contains a series of references
407 to Kubernetes objects that contains TLS certificates and
408 private keys. These certificates are used to establish
409 a TLS handshake for requests that match the hostname of
410 the associated listener. \n A single CertificateRef to
411 a Kubernetes Secret has \"Core\" support. Implementations
412 MAY choose to support attaching multiple certificates
413 to a Listener, but this behavior is implementation-specific.
414 \n References to a resource in different namespace are
415 invalid UNLESS there is a ReferenceGrant in the target
416 namespace that allows the certificate to be attached.
417 If a ReferenceGrant does not allow this reference, the
418 \"ResolvedRefs\" condition MUST be set to False for this
419 listener with the \"RefNotPermitted\" reason. \n This
420 field is required to have at least one element when the
421 mode is set to \"Terminate\" (default) and is optional
422 otherwise. \n CertificateRefs can reference to standard
423 Kubernetes resources, i.e. Secret, or implementation-specific
424 custom resources. \n Support: Core - A single reference
425 to a Kubernetes Secret of type kubernetes.io/tls \n Support:
426 Implementation-specific (More than one reference or other
427 resource types)"
428 items:
429 description: "SecretObjectReference identifies an API
430 object including its namespace, defaulting to Secret.
431 \n The API object must be valid in the cluster; the
432 Group and Kind must be registered in the cluster for
433 this reference to be valid. \n References to objects
434 with invalid Group and Kind are not valid, and must
435 be rejected by the implementation, with appropriate
436 Conditions set on the containing object."
437 properties:
438 group:
439 default: ""
440 description: Group is the group of the referent. For
441 example, "gateway.networking.k8s.io". When unspecified
442 or empty string, core API group is inferred.
443 maxLength: 253
444 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
445 type: string
446 kind:
447 default: Secret
448 description: Kind is kind of the referent. For example
449 "Secret".
450 maxLength: 63
451 minLength: 1
452 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
453 type: string
454 name:
455 description: Name is the name of the referent.
456 maxLength: 253
457 minLength: 1
458 type: string
459 namespace:
460 description: "Namespace is the namespace of the referenced
461 object. When unspecified, the local namespace is
462 inferred. \n Note that when a namespace different
463 than the local namespace is specified, a ReferenceGrant
464 object is required in the referent namespace to
465 allow that namespace's owner to accept the reference.
466 See the ReferenceGrant documentation for details.
467 \n Support: Core"
468 maxLength: 63
469 minLength: 1
470 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
471 type: string
472 required:
473 - name
474 type: object
475 maxItems: 64
476 type: array
477 mode:
478 default: Terminate
479 description: "Mode defines the TLS behavior for the TLS
480 session initiated by the client. There are two possible
481 modes: \n - Terminate: The TLS session between the downstream
482 client and the Gateway is terminated at the Gateway. This
483 mode requires certificateRefs to be set and contain at
484 least one element. - Passthrough: The TLS session is NOT
485 terminated by the Gateway. This implies that the Gateway
486 can't decipher the TLS stream except for the ClientHello
487 message of the TLS protocol. CertificateRefs field is
488 ignored in this mode. \n Support: Core"
489 enum:
490 - Terminate
491 - Passthrough
492 type: string
493 options:
494 additionalProperties:
495 description: AnnotationValue is the value of an annotation
496 in Gateway API. This is used for validation of maps
497 such as TLS options. This roughly matches Kubernetes
498 annotation validation, although the length validation
499 in that case is based on the entire size of the annotations
500 struct.
501 maxLength: 4096
502 minLength: 0
503 type: string
504 description: "Options are a list of key/value pairs to enable
505 extended TLS configuration for each implementation. For
506 example, configuring the minimum TLS version or supported
507 cipher suites. \n A set of common keys MAY be defined
508 by the API in the future. To avoid any ambiguity, implementation-specific
509 definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
510 Un-prefixed names are reserved for key names defined by
511 Gateway API. \n Support: Implementation-specific"
512 maxProperties: 16
513 type: object
514 type: object
515 x-kubernetes-validations:
516 - message: certificateRefs must be specified when TLSModeType
517 is Terminate
518 rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
519 > 0 : true'
520 required:
521 - name
522 - port
523 - protocol
524 type: object
525 maxItems: 64
526 minItems: 1
527 type: array
528 x-kubernetes-list-map-keys:
529 - name
530 x-kubernetes-list-type: map
531 x-kubernetes-validations:
532 - message: tls must be specified for protocols ['HTTPS', 'TLS']
533 rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls)
534 : true)'
535 - message: tls must not be specified for protocols ['HTTP', 'TCP',
536 'UDP']
537 rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
538 !has(l.tls) : true)'
539 - message: hostname must not be specified for protocols ['TCP', 'UDP']
540 rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
541 || l.hostname == '''') : true)'
542 - message: Listener name must be unique within the Gateway
543 rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
544 - message: Combination of port, protocol and hostname must be unique
545 for each listener
546 rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
547 == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
548 == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
549 required:
550 - gatewayClassName
551 - listeners
552 type: object
553 status:
554 default:
555 conditions:
556 - lastTransitionTime: "1970-01-01T00:00:00Z"
557 message: Waiting for controller
558 reason: Pending
559 status: Unknown
560 type: Accepted
561 - lastTransitionTime: "1970-01-01T00:00:00Z"
562 message: Waiting for controller
563 reason: Pending
564 status: Unknown
565 type: Programmed
566 description: Status defines the current state of Gateway.
567 properties:
568 addresses:
569 description: "Addresses lists the network addresses that have been
570 bound to the Gateway. \n This list may differ from the addresses
571 provided in the spec under some conditions: \n * no addresses are
572 specified, all addresses are dynamically assigned * a combination
573 of specified and dynamic addresses are assigned * a specified address
574 was unusable (e.g. already in use) \n "
575 items:
576 description: GatewayStatusAddress describes a network address that
577 is bound to a Gateway.
578 oneOf:
579 - properties:
580 type:
581 enum:
582 - IPAddress
583 value:
584 anyOf:
585 - format: ipv4
586 - format: ipv6
587 - properties:
588 type:
589 not:
590 enum:
591 - IPAddress
592 properties:
593 type:
594 default: IPAddress
595 description: Type of the address.
596 maxLength: 253
597 minLength: 1
598 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
599 type: string
600 value:
601 description: "Value of the address. The validity of the values
602 will depend on the type and support by the controller. \n
603 Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
604 maxLength: 253
605 minLength: 1
606 type: string
607 required:
608 - value
609 type: object
610 x-kubernetes-validations:
611 - message: Hostname value must only contain valid characters (matching
612 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
613 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
614 true'
615 maxItems: 16
616 type: array
617 conditions:
618 default:
619 - lastTransitionTime: "1970-01-01T00:00:00Z"
620 message: Waiting for controller
621 reason: Pending
622 status: Unknown
623 type: Accepted
624 - lastTransitionTime: "1970-01-01T00:00:00Z"
625 message: Waiting for controller
626 reason: Pending
627 status: Unknown
628 type: Programmed
629 description: "Conditions describe the current conditions of the Gateway.
630 \n Implementations should prefer to express Gateway conditions using
631 the `GatewayConditionType` and `GatewayConditionReason` constants
632 so that operators and tools can converge on a common vocabulary
633 to describe Gateway state. \n Known condition types are: \n * \"Accepted\"
634 * \"Programmed\" * \"Ready\""
635 items:
636 description: "Condition contains details for one aspect of the current
637 state of this API Resource. --- This struct is intended for direct
638 use as an array at the field path .status.conditions. For example,
639 \n type FooStatus struct{ // Represents the observations of a
640 foo's current state. // Known .status.conditions.type are: \"Available\",
641 \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
642 // +listType=map // +listMapKey=type Conditions []metav1.Condition
643 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
644 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
645 properties:
646 lastTransitionTime:
647 description: lastTransitionTime is the last time the condition
648 transitioned from one status to another. This should be when
649 the underlying condition changed. If that is not known, then
650 using the time when the API field changed is acceptable.
651 format: date-time
652 type: string
653 message:
654 description: message is a human readable message indicating
655 details about the transition. This may be an empty string.
656 maxLength: 32768
657 type: string
658 observedGeneration:
659 description: observedGeneration represents the .metadata.generation
660 that the condition was set based upon. For instance, if .metadata.generation
661 is currently 12, but the .status.conditions[x].observedGeneration
662 is 9, the condition is out of date with respect to the current
663 state of the instance.
664 format: int64
665 minimum: 0
666 type: integer
667 reason:
668 description: reason contains a programmatic identifier indicating
669 the reason for the condition's last transition. Producers
670 of specific condition types may define expected values and
671 meanings for this field, and whether the values are considered
672 a guaranteed API. The value should be a CamelCase string.
673 This field may not be empty.
674 maxLength: 1024
675 minLength: 1
676 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
677 type: string
678 status:
679 description: status of the condition, one of True, False, Unknown.
680 enum:
681 - "True"
682 - "False"
683 - Unknown
684 type: string
685 type:
686 description: type of condition in CamelCase or in foo.example.com/CamelCase.
687 --- Many .condition.type values are consistent across resources
688 like Available, but because arbitrary conditions can be useful
689 (see .node.status.conditions), the ability to deconflict is
690 important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
691 maxLength: 316
692 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
693 type: string
694 required:
695 - lastTransitionTime
696 - message
697 - reason
698 - status
699 - type
700 type: object
701 maxItems: 8
702 type: array
703 x-kubernetes-list-map-keys:
704 - type
705 x-kubernetes-list-type: map
706 listeners:
707 description: Listeners provide status for each unique listener port
708 defined in the Spec.
709 items:
710 description: ListenerStatus is the status associated with a Listener.
711 properties:
712 attachedRoutes:
713 description: "AttachedRoutes represents the total number of
714 Routes that have been successfully attached to this Listener.
715 \n Successful attachment of a Route to a Listener is based
716 solely on the combination of the AllowedRoutes field on the
717 corresponding Listener and the Route's ParentRefs field. A
718 Route is successfully attached to a Listener when it is selected
719 by the Listener's AllowedRoutes field AND the Route has a
720 valid ParentRef selecting the whole Gateway resource or a
721 specific Listener as a parent resource (more detail on attachment
722 semantics can be found in the documentation on the various
723 Route kinds ParentRefs fields). Listener or Route status does
724 not impact successful attachment, i.e. the AttachedRoutes
725 field count MUST be set for Listeners with condition Accepted:
726 false and MUST count successfully attached Routes that may
727 themselves have Accepted: false conditions. \n Uses for this
728 field include troubleshooting Route attachment and measuring
729 blast radius/impact of changes to a Listener."
730 format: int32
731 type: integer
732 conditions:
733 description: Conditions describe the current condition of this
734 listener.
735 items:
736 description: "Condition contains details for one aspect of
737 the current state of this API Resource. --- This struct
738 is intended for direct use as an array at the field path
739 .status.conditions. For example, \n type FooStatus struct{
740 // Represents the observations of a foo's current state.
741 // Known .status.conditions.type are: \"Available\", \"Progressing\",
742 and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
743 // +listType=map // +listMapKey=type Conditions []metav1.Condition
744 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
745 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
746 }"
747 properties:
748 lastTransitionTime:
749 description: lastTransitionTime is the last time the condition
750 transitioned from one status to another. This should
751 be when the underlying condition changed. If that is
752 not known, then using the time when the API field changed
753 is acceptable.
754 format: date-time
755 type: string
756 message:
757 description: message is a human readable message indicating
758 details about the transition. This may be an empty string.
759 maxLength: 32768
760 type: string
761 observedGeneration:
762 description: observedGeneration represents the .metadata.generation
763 that the condition was set based upon. For instance,
764 if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
765 is 9, the condition is out of date with respect to the
766 current state of the instance.
767 format: int64
768 minimum: 0
769 type: integer
770 reason:
771 description: reason contains a programmatic identifier
772 indicating the reason for the condition's last transition.
773 Producers of specific condition types may define expected
774 values and meanings for this field, and whether the
775 values are considered a guaranteed API. The value should
776 be a CamelCase string. This field may not be empty.
777 maxLength: 1024
778 minLength: 1
779 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
780 type: string
781 status:
782 description: status of the condition, one of True, False,
783 Unknown.
784 enum:
785 - "True"
786 - "False"
787 - Unknown
788 type: string
789 type:
790 description: type of condition in CamelCase or in foo.example.com/CamelCase.
791 --- Many .condition.type values are consistent across
792 resources like Available, but because arbitrary conditions
793 can be useful (see .node.status.conditions), the ability
794 to deconflict is important. The regex it matches is
795 (dns1123SubdomainFmt/)?(qualifiedNameFmt)
796 maxLength: 316
797 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
798 type: string
799 required:
800 - lastTransitionTime
801 - message
802 - reason
803 - status
804 - type
805 type: object
806 maxItems: 8
807 type: array
808 x-kubernetes-list-map-keys:
809 - type
810 x-kubernetes-list-type: map
811 name:
812 description: Name is the name of the Listener that this status
813 corresponds to.
814 maxLength: 253
815 minLength: 1
816 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
817 type: string
818 supportedKinds:
819 description: "SupportedKinds is the list indicating the Kinds
820 supported by this listener. This MUST represent the kinds
821 an implementation supports for that Listener configuration.
822 \n If kinds are specified in Spec that are not supported,
823 they MUST NOT appear in this list and an implementation MUST
824 set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
825 reason. If both valid and invalid Route kinds are specified,
826 the implementation MUST reference the valid Route kinds that
827 have been specified."
828 items:
829 description: RouteGroupKind indicates the group and kind of
830 a Route resource.
831 properties:
832 group:
833 default: gateway.networking.k8s.io
834 description: Group is the group of the Route.
835 maxLength: 253
836 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
837 type: string
838 kind:
839 description: Kind is the kind of the Route.
840 maxLength: 63
841 minLength: 1
842 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
843 type: string
844 required:
845 - kind
846 type: object
847 maxItems: 8
848 type: array
849 required:
850 - attachedRoutes
851 - conditions
852 - name
853 - supportedKinds
854 type: object
855 maxItems: 64
856 type: array
857 x-kubernetes-list-map-keys:
858 - name
859 x-kubernetes-list-type: map
860 type: object
861 required:
862 - spec
863 type: object
864 served: true
865 storage: false
866 subresources:
867 status: {}
868 - additionalPrinterColumns:
869 - jsonPath: .spec.gatewayClassName
870 name: Class
871 type: string
872 - jsonPath: .status.addresses[*].value
873 name: Address
874 type: string
875 - jsonPath: .status.conditions[?(@.type=="Programmed")].status
876 name: Programmed
877 type: string
878 - jsonPath: .metadata.creationTimestamp
879 name: Age
880 type: date
881 name: v1beta1
882 schema:
883 openAPIV3Schema:
884 description: Gateway represents an instance of a service-traffic handling
885 infrastructure by binding Listeners to a set of IP addresses.
886 properties:
887 apiVersion:
888 description: 'APIVersion defines the versioned schema of this representation
889 of an object. Servers should convert recognized schemas to the latest
890 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
891 type: string
892 kind:
893 description: 'Kind is a string value representing the REST resource this
894 object represents. Servers may infer this from the endpoint the client
895 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
896 type: string
897 metadata:
898 type: object
899 spec:
900 description: Spec defines the desired state of Gateway.
901 properties:
902 addresses:
903 description: "Addresses requested for this Gateway. This is optional
904 and behavior can depend on the implementation. If a value is set
905 in the spec and the requested address is invalid or unavailable,
906 the implementation MUST indicate this in the associated entry in
907 GatewayStatus.Addresses. \n The Addresses field represents a request
908 for the address(es) on the \"outside of the Gateway\", that traffic
909 bound for this Gateway will use. This could be the IP address or
910 hostname of an external load balancer or other networking infrastructure,
911 or some other address that traffic will be sent to. \n If no Addresses
912 are specified, the implementation MAY schedule the Gateway in an
913 implementation-specific manner, assigning an appropriate set of
914 Addresses. \n The implementation MUST bind all Listeners to every
915 GatewayAddress that it assigns to the Gateway and add a corresponding
916 entry in GatewayStatus.Addresses. \n Support: Extended \n "
917 items:
918 description: GatewayAddress describes an address that can be bound
919 to a Gateway.
920 oneOf:
921 - properties:
922 type:
923 enum:
924 - IPAddress
925 value:
926 anyOf:
927 - format: ipv4
928 - format: ipv6
929 - properties:
930 type:
931 not:
932 enum:
933 - IPAddress
934 properties:
935 type:
936 default: IPAddress
937 description: Type of the address.
938 maxLength: 253
939 minLength: 1
940 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
941 type: string
942 value:
943 description: "Value of the address. The validity of the values
944 will depend on the type and support by the controller. \n
945 Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
946 maxLength: 253
947 minLength: 1
948 type: string
949 required:
950 - value
951 type: object
952 x-kubernetes-validations:
953 - message: Hostname value must only contain valid characters (matching
954 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
955 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
956 true'
957 maxItems: 16
958 type: array
959 x-kubernetes-validations:
960 - message: IPAddress values must be unique
961 rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
962 a2.type == a1.type && a2.value == a1.value) : true )'
963 - message: Hostname values must be unique
964 rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
965 a2.type == a1.type && a2.value == a1.value) : true )'
966 gatewayClassName:
967 description: GatewayClassName used for this Gateway. This is the name
968 of a GatewayClass resource.
969 maxLength: 253
970 minLength: 1
971 type: string
972 listeners:
973 description: "Listeners associated with this Gateway. Listeners define
974 logical endpoints that are bound on this Gateway's addresses. At
975 least one Listener MUST be specified. \n Each Listener in a set
976 of Listeners (for example, in a single Gateway) MUST be _distinct_,
977 in that a traffic flow MUST be able to be assigned to exactly one
978 listener. (This section uses \"set of Listeners\" rather than \"Listeners
979 in a single Gateway\" because implementations MAY merge configuration
980 from multiple Gateways onto a single data plane, and these rules
981 _also_ apply in that case). \n Practically, this means that each
982 listener in a set MUST have a unique combination of Port, Protocol,
983 and, if supported by the protocol, Hostname. \n Some combinations
984 of port, protocol, and TLS settings are considered Core support
985 and MUST be supported by implementations based on their targeted
986 conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
987 Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
988 Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
989 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
990 have the following property: \n The implementation can match inbound
991 requests to a single distinct Listener. When multiple Listeners
992 share values for fields (for example, two Listeners with the same
993 Port value), the implementation can match requests to only one of
994 the Listeners using other Listener fields. \n For example, the following
995 Listener scenarios are distinct: \n 1. Multiple Listeners with the
996 same Port that all use the \"HTTP\" Protocol that all have unique
997 Hostname values. 2. Multiple Listeners with the same Port that use
998 either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
999 values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
1000 where no Listener with the same Protocol has the same Port value.
1001 \n Some fields in the Listener struct have possible values that
1002 affect whether the Listener is distinct. Hostname is particularly
1003 relevant for HTTP or HTTPS protocols. \n When using the Hostname
1004 value to select between same-Port, same-Protocol Listeners, the
1005 Hostname value must be different on each Listener for the Listener
1006 to be distinct. \n When the Listeners are distinct based on Hostname,
1007 inbound request hostnames MUST match from the most specific to least
1008 specific Hostname values to choose the correct Listener and its
1009 associated set of Routes. \n Exact matches must be processed before
1010 wildcard matches, and wildcard matches must be processed before
1011 fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
1012 takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
1013 takes precedence over `\"\"`. \n Additionally, if there are multiple
1014 wildcard entries, more specific wildcard entries must be processed
1015 before less specific wildcard entries. For example, `\"*.foo.example.com\"`
1016 takes precedence over `\"*.example.com\"`. The precise definition
1017 here is that the higher the number of dots in the hostname to the
1018 right of the wildcard character, the higher the precedence. \n The
1019 wildcard character will match any number of characters _and dots_
1020 to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
1021 _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
1022 that are not distinct, then those Listeners are Conflicted, and
1023 the implementation MUST set the \"Conflicted\" condition in the
1024 Listener Status to \"True\". \n Implementations MAY choose to accept
1025 a Gateway with some Conflicted Listeners only if they only accept
1026 the partial Listener set that contains no Conflicted Listeners.
1027 To put this another way, implementations may accept a partial Listener
1028 set only if they throw out *all* the conflicting Listeners. No picking
1029 one of the conflicting listeners as the winner. This also means
1030 that the Gateway must have at least one non-conflicting Listener
1031 in this case, otherwise it violates the requirement that at least
1032 one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
1033 condition on the Gateway Status when the Gateway contains Conflicted
1034 Listeners whether or not they accept the Gateway. That Condition
1035 SHOULD clearly indicate in the Message which Listeners are conflicted,
1036 and which are Accepted. Additionally, the Listener status for those
1037 listeners SHOULD indicate which Listeners are conflicted and not
1038 Accepted. \n A Gateway's Listeners are considered \"compatible\"
1039 if: \n 1. They are distinct. 2. The implementation can serve them
1040 in compliance with the Addresses requirement that all Listeners
1041 are available on all assigned addresses. \n Compatible combinations
1042 in Extended support are expected to vary across implementations.
1043 A combination that is compatible for one implementation may not
1044 be compatible for another. \n For example, an implementation that
1045 cannot serve both TCP and UDP listeners on the same address, or
1046 cannot mix HTTPS and generic TLS listens on the same port would
1047 not consider those cases compatible, even though they are distinct.
1048 \n Note that requests SHOULD match at most one Listener. For example,
1049 if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
1050 a request to \"foo.example.com\" SHOULD only be routed using routes
1051 attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
1052 Listener). This concept is known as \"Listener Isolation\". Implementations
1053 that do not support Listener Isolation MUST clearly document this.
1054 \n Implementations MAY merge separate Gateways onto a single set
1055 of Addresses if all Listeners across all Gateways are compatible.
1056 \n Support: Core"
1057 items:
1058 description: Listener embodies the concept of a logical endpoint
1059 where a Gateway accepts network connections.
1060 properties:
1061 allowedRoutes:
1062 default:
1063 namespaces:
1064 from: Same
1065 description: "AllowedRoutes defines the types of routes that
1066 MAY be attached to a Listener and the trusted namespaces where
1067 those Route resources MAY be present. \n Although a client
1068 request may match multiple route rules, only one rule may
1069 ultimately receive the request. Matching precedence MUST be
1070 determined in order of the following criteria: \n * The most
1071 specific match as defined by the Route type. * The oldest
1072 Route based on creation timestamp. For example, a Route with
1073 a creation timestamp of \"2020-09-08 01:02:03\" is given precedence
1074 over a Route with a creation timestamp of \"2020-09-08 01:02:04\".
1075 * If everything else is equivalent, the Route appearing first
1076 in alphabetical order (namespace/name) should be given precedence.
1077 For example, foo/bar is given precedence over foo/baz. \n
1078 All valid rules within a Route attached to this Listener should
1079 be implemented. Invalid Route rules can be ignored (sometimes
1080 that will mean the full Route). If a Route rule transitions
1081 from valid to invalid, support for that Route rule should
1082 be dropped to ensure consistency. For example, even if a filter
1083 specified by a Route rule is invalid, the rest of the rules
1084 within that Route should still be supported. \n Support: Core"
1085 properties:
1086 kinds:
1087 description: "Kinds specifies the groups and kinds of Routes
1088 that are allowed to bind to this Gateway Listener. When
1089 unspecified or empty, the kinds of Routes selected are
1090 determined using the Listener protocol. \n A RouteGroupKind
1091 MUST correspond to kinds of Routes that are compatible
1092 with the application protocol specified in the Listener's
1093 Protocol field. If an implementation does not support
1094 or recognize this resource type, it MUST set the \"ResolvedRefs\"
1095 condition to False for this Listener with the \"InvalidRouteKinds\"
1096 reason. \n Support: Core"
1097 items:
1098 description: RouteGroupKind indicates the group and kind
1099 of a Route resource.
1100 properties:
1101 group:
1102 default: gateway.networking.k8s.io
1103 description: Group is the group of the Route.
1104 maxLength: 253
1105 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1106 type: string
1107 kind:
1108 description: Kind is the kind of the Route.
1109 maxLength: 63
1110 minLength: 1
1111 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
1112 type: string
1113 required:
1114 - kind
1115 type: object
1116 maxItems: 8
1117 type: array
1118 namespaces:
1119 default:
1120 from: Same
1121 description: "Namespaces indicates namespaces from which
1122 Routes may be attached to this Listener. This is restricted
1123 to the namespace of this Gateway by default. \n Support:
1124 Core"
1125 properties:
1126 from:
1127 default: Same
1128 description: "From indicates where Routes will be selected
1129 for this Gateway. Possible values are: \n * All: Routes
1130 in all namespaces may be used by this Gateway. * Selector:
1131 Routes in namespaces selected by the selector may
1132 be used by this Gateway. * Same: Only Routes in the
1133 same namespace may be used by this Gateway. \n Support:
1134 Core"
1135 enum:
1136 - All
1137 - Selector
1138 - Same
1139 type: string
1140 selector:
1141 description: "Selector must be specified when From is
1142 set to \"Selector\". In that case, only Routes in
1143 Namespaces matching this Selector will be selected
1144 by this Gateway. This field is ignored for other values
1145 of \"From\". \n Support: Core"
1146 properties:
1147 matchExpressions:
1148 description: matchExpressions is a list of label
1149 selector requirements. The requirements are ANDed.
1150 items:
1151 description: A label selector requirement is a
1152 selector that contains values, a key, and an
1153 operator that relates the key and values.
1154 properties:
1155 key:
1156 description: key is the label key that the
1157 selector applies to.
1158 type: string
1159 operator:
1160 description: operator represents a key's relationship
1161 to a set of values. Valid operators are
1162 In, NotIn, Exists and DoesNotExist.
1163 type: string
1164 values:
1165 description: values is an array of string
1166 values. If the operator is In or NotIn,
1167 the values array must be non-empty. If the
1168 operator is Exists or DoesNotExist, the
1169 values array must be empty. This array is
1170 replaced during a strategic merge patch.
1171 items:
1172 type: string
1173 type: array
1174 required:
1175 - key
1176 - operator
1177 type: object
1178 type: array
1179 matchLabels:
1180 additionalProperties:
1181 type: string
1182 description: matchLabels is a map of {key,value}
1183 pairs. A single {key,value} in the matchLabels
1184 map is equivalent to an element of matchExpressions,
1185 whose key field is "key", the operator is "In",
1186 and the values array contains only "value". The
1187 requirements are ANDed.
1188 type: object
1189 type: object
1190 x-kubernetes-map-type: atomic
1191 type: object
1192 type: object
1193 hostname:
1194 description: "Hostname specifies the virtual hostname to match
1195 for protocol types that define this concept. When unspecified,
1196 all hostnames are matched. This field is ignored for protocols
1197 that don't require hostname based matching. \n Implementations
1198 MUST apply Hostname matching appropriately for each of the
1199 following protocols: \n * TLS: The Listener Hostname MUST
1200 match the SNI. * HTTP: The Listener Hostname MUST match the
1201 Host header of the request. * HTTPS: The Listener Hostname
1202 SHOULD match at both the TLS and HTTP protocol layers as described
1203 above. If an implementation does not ensure that both the
1204 SNI and Host header match the Listener hostname, it MUST clearly
1205 document that. \n For HTTPRoute and TLSRoute resources, there
1206 is an interaction with the `spec.hostnames` array. When both
1207 listener and route specify hostnames, there MUST be an intersection
1208 between the values for a Route to be accepted. For more information,
1209 refer to the Route specific Hostnames documentation. \n Hostnames
1210 that are prefixed with a wildcard label (`*.`) are interpreted
1211 as a suffix match. That means that a match for `*.example.com`
1212 would match both `test.example.com`, and `foo.test.example.com`,
1213 but not `example.com`. \n Support: Core"
1214 maxLength: 253
1215 minLength: 1
1216 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1217 type: string
1218 name:
1219 description: "Name is the name of the Listener. This name MUST
1220 be unique within a Gateway. \n Support: Core"
1221 maxLength: 253
1222 minLength: 1
1223 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1224 type: string
1225 port:
1226 description: "Port is the network port. Multiple listeners may
1227 use the same port, subject to the Listener compatibility rules.
1228 \n Support: Core"
1229 format: int32
1230 maximum: 65535
1231 minimum: 1
1232 type: integer
1233 protocol:
1234 description: "Protocol specifies the network protocol this listener
1235 expects to receive. \n Support: Core"
1236 maxLength: 255
1237 minLength: 1
1238 pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
1239 type: string
1240 tls:
1241 description: "TLS is the TLS configuration for the Listener.
1242 This field is required if the Protocol field is \"HTTPS\"
1243 or \"TLS\". It is invalid to set this field if the Protocol
1244 field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
1245 of SNIs to Certificate defined in GatewayTLSConfig is defined
1246 based on the Hostname field for this listener. \n The GatewayClass
1247 MUST use the longest matching SNI out of all available certificates
1248 for any TLS handshake. \n Support: Core"
1249 properties:
1250 certificateRefs:
1251 description: "CertificateRefs contains a series of references
1252 to Kubernetes objects that contains TLS certificates and
1253 private keys. These certificates are used to establish
1254 a TLS handshake for requests that match the hostname of
1255 the associated listener. \n A single CertificateRef to
1256 a Kubernetes Secret has \"Core\" support. Implementations
1257 MAY choose to support attaching multiple certificates
1258 to a Listener, but this behavior is implementation-specific.
1259 \n References to a resource in different namespace are
1260 invalid UNLESS there is a ReferenceGrant in the target
1261 namespace that allows the certificate to be attached.
1262 If a ReferenceGrant does not allow this reference, the
1263 \"ResolvedRefs\" condition MUST be set to False for this
1264 listener with the \"RefNotPermitted\" reason. \n This
1265 field is required to have at least one element when the
1266 mode is set to \"Terminate\" (default) and is optional
1267 otherwise. \n CertificateRefs can reference to standard
1268 Kubernetes resources, i.e. Secret, or implementation-specific
1269 custom resources. \n Support: Core - A single reference
1270 to a Kubernetes Secret of type kubernetes.io/tls \n Support:
1271 Implementation-specific (More than one reference or other
1272 resource types)"
1273 items:
1274 description: "SecretObjectReference identifies an API
1275 object including its namespace, defaulting to Secret.
1276 \n The API object must be valid in the cluster; the
1277 Group and Kind must be registered in the cluster for
1278 this reference to be valid. \n References to objects
1279 with invalid Group and Kind are not valid, and must
1280 be rejected by the implementation, with appropriate
1281 Conditions set on the containing object."
1282 properties:
1283 group:
1284 default: ""
1285 description: Group is the group of the referent. For
1286 example, "gateway.networking.k8s.io". When unspecified
1287 or empty string, core API group is inferred.
1288 maxLength: 253
1289 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1290 type: string
1291 kind:
1292 default: Secret
1293 description: Kind is kind of the referent. For example
1294 "Secret".
1295 maxLength: 63
1296 minLength: 1
1297 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
1298 type: string
1299 name:
1300 description: Name is the name of the referent.
1301 maxLength: 253
1302 minLength: 1
1303 type: string
1304 namespace:
1305 description: "Namespace is the namespace of the referenced
1306 object. When unspecified, the local namespace is
1307 inferred. \n Note that when a namespace different
1308 than the local namespace is specified, a ReferenceGrant
1309 object is required in the referent namespace to
1310 allow that namespace's owner to accept the reference.
1311 See the ReferenceGrant documentation for details.
1312 \n Support: Core"
1313 maxLength: 63
1314 minLength: 1
1315 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
1316 type: string
1317 required:
1318 - name
1319 type: object
1320 maxItems: 64
1321 type: array
1322 mode:
1323 default: Terminate
1324 description: "Mode defines the TLS behavior for the TLS
1325 session initiated by the client. There are two possible
1326 modes: \n - Terminate: The TLS session between the downstream
1327 client and the Gateway is terminated at the Gateway. This
1328 mode requires certificateRefs to be set and contain at
1329 least one element. - Passthrough: The TLS session is NOT
1330 terminated by the Gateway. This implies that the Gateway
1331 can't decipher the TLS stream except for the ClientHello
1332 message of the TLS protocol. CertificateRefs field is
1333 ignored in this mode. \n Support: Core"
1334 enum:
1335 - Terminate
1336 - Passthrough
1337 type: string
1338 options:
1339 additionalProperties:
1340 description: AnnotationValue is the value of an annotation
1341 in Gateway API. This is used for validation of maps
1342 such as TLS options. This roughly matches Kubernetes
1343 annotation validation, although the length validation
1344 in that case is based on the entire size of the annotations
1345 struct.
1346 maxLength: 4096
1347 minLength: 0
1348 type: string
1349 description: "Options are a list of key/value pairs to enable
1350 extended TLS configuration for each implementation. For
1351 example, configuring the minimum TLS version or supported
1352 cipher suites. \n A set of common keys MAY be defined
1353 by the API in the future. To avoid any ambiguity, implementation-specific
1354 definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
1355 Un-prefixed names are reserved for key names defined by
1356 Gateway API. \n Support: Implementation-specific"
1357 maxProperties: 16
1358 type: object
1359 type: object
1360 x-kubernetes-validations:
1361 - message: certificateRefs must be specified when TLSModeType
1362 is Terminate
1363 rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
1364 > 0 : true'
1365 required:
1366 - name
1367 - port
1368 - protocol
1369 type: object
1370 maxItems: 64
1371 minItems: 1
1372 type: array
1373 x-kubernetes-list-map-keys:
1374 - name
1375 x-kubernetes-list-type: map
1376 x-kubernetes-validations:
1377 - message: tls must be specified for protocols ['HTTPS', 'TLS']
1378 rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls)
1379 : true)'
1380 - message: tls must not be specified for protocols ['HTTP', 'TCP',
1381 'UDP']
1382 rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
1383 !has(l.tls) : true)'
1384 - message: hostname must not be specified for protocols ['TCP', 'UDP']
1385 rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
1386 || l.hostname == '''') : true)'
1387 - message: Listener name must be unique within the Gateway
1388 rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
1389 - message: Combination of port, protocol and hostname must be unique
1390 for each listener
1391 rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
1392 == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
1393 == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
1394 required:
1395 - gatewayClassName
1396 - listeners
1397 type: object
1398 status:
1399 default:
1400 conditions:
1401 - lastTransitionTime: "1970-01-01T00:00:00Z"
1402 message: Waiting for controller
1403 reason: Pending
1404 status: Unknown
1405 type: Accepted
1406 - lastTransitionTime: "1970-01-01T00:00:00Z"
1407 message: Waiting for controller
1408 reason: Pending
1409 status: Unknown
1410 type: Programmed
1411 description: Status defines the current state of Gateway.
1412 properties:
1413 addresses:
1414 description: "Addresses lists the network addresses that have been
1415 bound to the Gateway. \n This list may differ from the addresses
1416 provided in the spec under some conditions: \n * no addresses are
1417 specified, all addresses are dynamically assigned * a combination
1418 of specified and dynamic addresses are assigned * a specified address
1419 was unusable (e.g. already in use) \n "
1420 items:
1421 description: GatewayStatusAddress describes a network address that
1422 is bound to a Gateway.
1423 oneOf:
1424 - properties:
1425 type:
1426 enum:
1427 - IPAddress
1428 value:
1429 anyOf:
1430 - format: ipv4
1431 - format: ipv6
1432 - properties:
1433 type:
1434 not:
1435 enum:
1436 - IPAddress
1437 properties:
1438 type:
1439 default: IPAddress
1440 description: Type of the address.
1441 maxLength: 253
1442 minLength: 1
1443 pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
1444 type: string
1445 value:
1446 description: "Value of the address. The validity of the values
1447 will depend on the type and support by the controller. \n
1448 Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
1449 maxLength: 253
1450 minLength: 1
1451 type: string
1452 required:
1453 - value
1454 type: object
1455 x-kubernetes-validations:
1456 - message: Hostname value must only contain valid characters (matching
1457 ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
1458 rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
1459 true'
1460 maxItems: 16
1461 type: array
1462 conditions:
1463 default:
1464 - lastTransitionTime: "1970-01-01T00:00:00Z"
1465 message: Waiting for controller
1466 reason: Pending
1467 status: Unknown
1468 type: Accepted
1469 - lastTransitionTime: "1970-01-01T00:00:00Z"
1470 message: Waiting for controller
1471 reason: Pending
1472 status: Unknown
1473 type: Programmed
1474 description: "Conditions describe the current conditions of the Gateway.
1475 \n Implementations should prefer to express Gateway conditions using
1476 the `GatewayConditionType` and `GatewayConditionReason` constants
1477 so that operators and tools can converge on a common vocabulary
1478 to describe Gateway state. \n Known condition types are: \n * \"Accepted\"
1479 * \"Programmed\" * \"Ready\""
1480 items:
1481 description: "Condition contains details for one aspect of the current
1482 state of this API Resource. --- This struct is intended for direct
1483 use as an array at the field path .status.conditions. For example,
1484 \n type FooStatus struct{ // Represents the observations of a
1485 foo's current state. // Known .status.conditions.type are: \"Available\",
1486 \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
1487 // +listType=map // +listMapKey=type Conditions []metav1.Condition
1488 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
1489 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
1490 properties:
1491 lastTransitionTime:
1492 description: lastTransitionTime is the last time the condition
1493 transitioned from one status to another. This should be when
1494 the underlying condition changed. If that is not known, then
1495 using the time when the API field changed is acceptable.
1496 format: date-time
1497 type: string
1498 message:
1499 description: message is a human readable message indicating
1500 details about the transition. This may be an empty string.
1501 maxLength: 32768
1502 type: string
1503 observedGeneration:
1504 description: observedGeneration represents the .metadata.generation
1505 that the condition was set based upon. For instance, if .metadata.generation
1506 is currently 12, but the .status.conditions[x].observedGeneration
1507 is 9, the condition is out of date with respect to the current
1508 state of the instance.
1509 format: int64
1510 minimum: 0
1511 type: integer
1512 reason:
1513 description: reason contains a programmatic identifier indicating
1514 the reason for the condition's last transition. Producers
1515 of specific condition types may define expected values and
1516 meanings for this field, and whether the values are considered
1517 a guaranteed API. The value should be a CamelCase string.
1518 This field may not be empty.
1519 maxLength: 1024
1520 minLength: 1
1521 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
1522 type: string
1523 status:
1524 description: status of the condition, one of True, False, Unknown.
1525 enum:
1526 - "True"
1527 - "False"
1528 - Unknown
1529 type: string
1530 type:
1531 description: type of condition in CamelCase or in foo.example.com/CamelCase.
1532 --- Many .condition.type values are consistent across resources
1533 like Available, but because arbitrary conditions can be useful
1534 (see .node.status.conditions), the ability to deconflict is
1535 important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
1536 maxLength: 316
1537 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
1538 type: string
1539 required:
1540 - lastTransitionTime
1541 - message
1542 - reason
1543 - status
1544 - type
1545 type: object
1546 maxItems: 8
1547 type: array
1548 x-kubernetes-list-map-keys:
1549 - type
1550 x-kubernetes-list-type: map
1551 listeners:
1552 description: Listeners provide status for each unique listener port
1553 defined in the Spec.
1554 items:
1555 description: ListenerStatus is the status associated with a Listener.
1556 properties:
1557 attachedRoutes:
1558 description: "AttachedRoutes represents the total number of
1559 Routes that have been successfully attached to this Listener.
1560 \n Successful attachment of a Route to a Listener is based
1561 solely on the combination of the AllowedRoutes field on the
1562 corresponding Listener and the Route's ParentRefs field. A
1563 Route is successfully attached to a Listener when it is selected
1564 by the Listener's AllowedRoutes field AND the Route has a
1565 valid ParentRef selecting the whole Gateway resource or a
1566 specific Listener as a parent resource (more detail on attachment
1567 semantics can be found in the documentation on the various
1568 Route kinds ParentRefs fields). Listener or Route status does
1569 not impact successful attachment, i.e. the AttachedRoutes
1570 field count MUST be set for Listeners with condition Accepted:
1571 false and MUST count successfully attached Routes that may
1572 themselves have Accepted: false conditions. \n Uses for this
1573 field include troubleshooting Route attachment and measuring
1574 blast radius/impact of changes to a Listener."
1575 format: int32
1576 type: integer
1577 conditions:
1578 description: Conditions describe the current condition of this
1579 listener.
1580 items:
1581 description: "Condition contains details for one aspect of
1582 the current state of this API Resource. --- This struct
1583 is intended for direct use as an array at the field path
1584 .status.conditions. For example, \n type FooStatus struct{
1585 // Represents the observations of a foo's current state.
1586 // Known .status.conditions.type are: \"Available\", \"Progressing\",
1587 and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
1588 // +listType=map // +listMapKey=type Conditions []metav1.Condition
1589 `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
1590 protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
1591 }"
1592 properties:
1593 lastTransitionTime:
1594 description: lastTransitionTime is the last time the condition
1595 transitioned from one status to another. This should
1596 be when the underlying condition changed. If that is
1597 not known, then using the time when the API field changed
1598 is acceptable.
1599 format: date-time
1600 type: string
1601 message:
1602 description: message is a human readable message indicating
1603 details about the transition. This may be an empty string.
1604 maxLength: 32768
1605 type: string
1606 observedGeneration:
1607 description: observedGeneration represents the .metadata.generation
1608 that the condition was set based upon. For instance,
1609 if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
1610 is 9, the condition is out of date with respect to the
1611 current state of the instance.
1612 format: int64
1613 minimum: 0
1614 type: integer
1615 reason:
1616 description: reason contains a programmatic identifier
1617 indicating the reason for the condition's last transition.
1618 Producers of specific condition types may define expected
1619 values and meanings for this field, and whether the
1620 values are considered a guaranteed API. The value should
1621 be a CamelCase string. This field may not be empty.
1622 maxLength: 1024
1623 minLength: 1
1624 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
1625 type: string
1626 status:
1627 description: status of the condition, one of True, False,
1628 Unknown.
1629 enum:
1630 - "True"
1631 - "False"
1632 - Unknown
1633 type: string
1634 type:
1635 description: type of condition in CamelCase or in foo.example.com/CamelCase.
1636 --- Many .condition.type values are consistent across
1637 resources like Available, but because arbitrary conditions
1638 can be useful (see .node.status.conditions), the ability
1639 to deconflict is important. The regex it matches is
1640 (dns1123SubdomainFmt/)?(qualifiedNameFmt)
1641 maxLength: 316
1642 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
1643 type: string
1644 required:
1645 - lastTransitionTime
1646 - message
1647 - reason
1648 - status
1649 - type
1650 type: object
1651 maxItems: 8
1652 type: array
1653 x-kubernetes-list-map-keys:
1654 - type
1655 x-kubernetes-list-type: map
1656 name:
1657 description: Name is the name of the Listener that this status
1658 corresponds to.
1659 maxLength: 253
1660 minLength: 1
1661 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1662 type: string
1663 supportedKinds:
1664 description: "SupportedKinds is the list indicating the Kinds
1665 supported by this listener. This MUST represent the kinds
1666 an implementation supports for that Listener configuration.
1667 \n If kinds are specified in Spec that are not supported,
1668 they MUST NOT appear in this list and an implementation MUST
1669 set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
1670 reason. If both valid and invalid Route kinds are specified,
1671 the implementation MUST reference the valid Route kinds that
1672 have been specified."
1673 items:
1674 description: RouteGroupKind indicates the group and kind of
1675 a Route resource.
1676 properties:
1677 group:
1678 default: gateway.networking.k8s.io
1679 description: Group is the group of the Route.
1680 maxLength: 253
1681 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1682 type: string
1683 kind:
1684 description: Kind is the kind of the Route.
1685 maxLength: 63
1686 minLength: 1
1687 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
1688 type: string
1689 required:
1690 - kind
1691 type: object
1692 maxItems: 8
1693 type: array
1694 required:
1695 - attachedRoutes
1696 - conditions
1697 - name
1698 - supportedKinds
1699 type: object
1700 maxItems: 64
1701 type: array
1702 x-kubernetes-list-map-keys:
1703 - name
1704 x-kubernetes-list-type: map
1705 type: object
1706 required:
1707 - spec
1708 type: object
1709 served: true
1710 storage: true
1711 subresources:
1712 status: {}
1713status:
1714 acceptedNames:
1715 kind: ""
1716 plural: ""
1717 conditions: null
1718 storedVersions: null
View as plain text