diff --git a/Makefile b/Makefile
index 084cadbcfb..b02976640f 100644
--- a/Makefile
+++ b/Makefile
@@ -223,7 +223,7 @@ endif
# To update the Envoy Gateway version, see "Updating the bundled version of
# Envoy Gateway" in docs/common_tasks.md.
ENVOY_GATEWAY_HELM_CHART ?= oci://docker.io/envoyproxy/gateway-helm
-ENVOY_GATEWAY_VERSION ?= v1.3.2
+ENVOY_GATEWAY_VERSION ?= v1.5.7
ENVOY_GATEWAY_PREFIX ?= tigera-gateway-api
ENVOY_GATEWAY_NAMESPACE ?= tigera-gateway
ENVOY_GATEWAY_RESOURCES = pkg/render/gateway_api_resources.yaml
diff --git a/go.mod b/go.mod
index db2601f726..6cb89dfa34 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/tigera/operator
-go 1.24.10
+go 1.24.11
require (
github.com/aws/aws-sdk-go v1.55.5
@@ -8,10 +8,10 @@ require (
github.com/containernetworking/cni v1.2.3
github.com/corazawaf/coraza-coreruleset/v4 v4.7.0
github.com/elastic/cloud-on-k8s/v2 v2.0.0-20250129010100-648f902d9807
- github.com/envoyproxy/gateway v1.3.2
+ github.com/envoyproxy/gateway v1.5.7
github.com/go-ldap/ldap v3.0.3+incompatible
- github.com/go-logr/logr v1.4.2
- github.com/google/go-cmp v0.6.0
+ github.com/go-logr/logr v1.4.3
+ github.com/google/go-cmp v0.7.0
github.com/hashicorp/go-version v1.7.0
github.com/olivere/elastic/v7 v7.0.32
github.com/onsi/ginkgo v1.16.5
@@ -33,21 +33,21 @@ require (
gopkg.in/inf.v0 v0.9.1
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
- k8s.io/api v0.32.9
- k8s.io/apiextensions-apiserver v0.32.9
- k8s.io/apimachinery v0.32.9
- k8s.io/apiserver v0.32.9
- k8s.io/client-go v0.32.9
+ k8s.io/api v0.33.3
+ k8s.io/apiextensions-apiserver v0.33.3
+ k8s.io/apimachinery v0.33.3
+ k8s.io/apiserver v0.33.3
+ k8s.io/client-go v0.33.3
k8s.io/kube-aggregator v0.32.9
- sigs.k8s.io/controller-runtime v0.20.2
- sigs.k8s.io/gateway-api v1.2.1
- sigs.k8s.io/kind v0.24.0 // Do not remove, not used by code but used by build
- sigs.k8s.io/yaml v1.4.0
+ sigs.k8s.io/controller-runtime v0.21.0
+ sigs.k8s.io/gateway-api v1.3.1-0.20250527223622-54df0a899c1c
+ sigs.k8s.io/kind v0.29.0 // Do not remove, not used by code but used by build
+ sigs.k8s.io/yaml v1.6.0
)
require (
- github.com/BurntSushi/toml v1.4.0 // indirect
- github.com/alessio/shellescape v1.4.2 // indirect
+ al.essio.dev/pkg/shellescape v1.5.1 // indirect
+ github.com/BurntSushi/toml v1.5.0 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
@@ -57,22 +57,20 @@ require (
github.com/elastic/go-ucfg v0.8.8 // indirect
github.com/elastic/go-windows v1.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.12.1 // indirect
- github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+ github.com/evanphx/json-patch v5.9.11+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
- github.com/fsnotify/fsnotify v1.8.0 // indirect
- github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+ github.com/fsnotify/fsnotify v1.9.0 // indirect
+ github.com/fxamacker/cbor/v2 v2.8.0 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
- github.com/go-openapi/jsonpointer v0.21.0 // indirect
+ github.com/go-openapi/jsonpointer v0.21.1 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
- github.com/go-openapi/swag v0.23.0 // indirect
+ github.com/go-openapi/swag v0.23.1 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.6.9 // indirect
- github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
- github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -82,22 +80,21 @@ require (
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
- github.com/klauspost/compress v1.17.11 // indirect
github.com/magefile/mage v1.14.0 // indirect
- github.com/mailru/easyjson v0.7.7 // indirect
+ github.com/mailru/easyjson v0.9.0 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
- github.com/modern-go/reflect2 v1.0.2 // indirect
+ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nxadm/tail v1.4.8 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
- github.com/prometheus/client_golang v1.20.5 // indirect
- github.com/prometheus/client_model v0.6.1 // indirect
- github.com/prometheus/common v0.62.0 // indirect
- github.com/prometheus/procfs v0.15.1 // indirect
- github.com/spf13/cobra v1.8.1 // indirect
- github.com/spf13/pflag v1.0.5 // indirect
+ github.com/prometheus/client_golang v1.23.0 // indirect
+ github.com/prometheus/client_model v0.6.2 // indirect
+ github.com/prometheus/common v0.65.0 // indirect
+ github.com/prometheus/procfs v0.17.0 // indirect
+ github.com/spf13/cobra v1.9.1 // indirect
+ github.com/spf13/pflag v1.0.7 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
github.com/x448/float16 v0.8.4 // indirect
@@ -105,6 +102,8 @@ require (
go.elastic.co/apm/v2 v2.6.2 // indirect
go.elastic.co/fastjson v1.3.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
+ go.yaml.in/yaml/v2 v2.4.2 // indirect
+ go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/oauth2 v0.32.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.39.0 // indirect
@@ -112,18 +111,19 @@ require (
golang.org/x/text v0.32.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.39.0 // indirect
- gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+ gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
- google.golang.org/protobuf v1.36.3 // indirect
+ google.golang.org/protobuf v1.36.10 // indirect
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
howett.net/plist v1.0.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
- k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
- k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
+ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+ k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
- sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect
+ sigs.k8s.io/randfill v1.0.0 // indirect
+ sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
)
replace (
diff --git a/go.sum b/go.sum
index b74afa6989..b5d25e72d9 100644
--- a/go.sum
+++ b/go.sum
@@ -1,9 +1,9 @@
-github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
-github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0=
-github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
@@ -16,19 +16,23 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cloudflare/cfssl v1.6.5 h1:46zpNkm6dlNkMZH/wMW22ejih6gIaJbzL2du6vD7ZeI=
github.com/cloudflare/cfssl v1.6.5/go.mod h1:Bk1si7sq8h2+yVEDrFJiz3d7Aw+pfjjJSZVaD+Taky4=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8FuJbEslXM=
github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M=
github.com/corazawaf/coraza-coreruleset/v4 v4.7.0 h1:j02CDxQYHVFZfBxbKLWYg66jSLbPmZp1GebyMwzN9Z0=
github.com/corazawaf/coraza-coreruleset/v4 v4.7.0/go.mod h1:1FQt1p+JSQ6tYrafMqZrEEdDmhq6aVuIJdnk+bM9hMY=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v27.5.0+incompatible h1:um++2NcQtGRTz5eEgO6aJimo6/JxrTXC941hd05JO6U=
-github.com/docker/docker v27.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -43,10 +47,10 @@ github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUt
github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss=
github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/gateway v1.3.2 h1:JpCWRIQyVdLOtHEZ0AX/fB2jFL/u6zBKKXu56H16lyw=
-github.com/envoyproxy/gateway v1.3.2/go.mod h1:O8bWdOd8GNBGoxPomNnh5u19zpNYkXly3iz8KZTm0d4=
-github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
-github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/envoyproxy/gateway v1.5.7 h1:41ZerUfu/aFb1vLOWIkAQ89eChUOolZTSIp11rxNBnc=
+github.com/envoyproxy/gateway v1.5.7/go.mod h1:1clu3bLXvhpEWQg6A0PCwJfJFhFPbDxqFSMmZj2NiF4=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -55,24 +59,24 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/go-ldap/ldap v3.0.3+incompatible h1:HTeSZO8hWMS1Rgb2Ziku6b8a7qRIZZMHjsvuZyatzwk=
github.com/go-ldap/ldap v3.0.3+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic=
+github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
+github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
@@ -98,15 +102,15 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
-github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 h1:SJ+NtwL6QaZ21U+IrK7d0gGgpjGGvd2kz+FzTHVzdqI=
-github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -137,8 +141,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -149,8 +153,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
+github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -158,8 +162,9 @@ github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6U
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
@@ -180,8 +185,8 @@ github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/openshift/api v0.0.0-20240924220842-3c700b6cb32b h1:3CDA+4Ed9JWKNs3czWoq1DcI2rjWMShIpoIiPFey11o=
github.com/openshift/api v0.0.0-20240924220842-3c700b6cb32b/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM=
github.com/openshift/library-go v0.0.0-20240930172803-190f286b06b1 h1:LmCFe7kihBKR1fp9QyHwHqxbEOwMxNKBUGgbwdnuq9E=
@@ -198,25 +203,26 @@ github.com/projectcalico/api v0.0.0-20240708202104-e3f70b269c2c h1:eFyfeRDV94LA3
github.com/projectcalico/api v0.0.0-20240708202104-e3f70b269c2c/go.mod h1:9EPxrA4rUH306dCpvVsFb7IcEFt4ZSvqmfSowfb6c5U=
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 h1:AHzMWDxNiAVscJL6+4wkvFRTpMnJqiaZFEKA/osaBXE=
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc=
+github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
+github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
github.com/r3labs/diff/v2 v2.15.1 h1:EOrVqPUzi+njlumoqJwiS/TgGgmZo83619FNDB9xQUg=
github.com/r3labs/diff/v2 v2.15.1/go.mod h1:I8noH9Fc2fjSaMxqF3G2lhDdC0b+JXCfyx85tWFM9kc=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
+github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -230,8 +236,8 @@ github.com/tigera/api v0.0.0-20230406222214-ca74195900cb h1:Y7r5Al3V235KaEoAzGBz
github.com/tigera/api v0.0.0-20230406222214-ca74195900cb/go.mod h1:ZZghiX3CUsBAc0osBjRvV6y/eun2ObYdvSbjqXAoj/w=
github.com/urfave/cli/v3 v3.0.0-beta1 h1:6DTaaUarcM0wX7qj5Hcvs+5Dm3dyUTBbEwIWAjcw9Zg=
github.com/urfave/cli/v3 v3.0.0-beta1/go.mod h1:FnIeEMYu+ko8zP1F9Ypr3xkZMIDqW3DR92yUtY39q1Y=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -250,27 +256,31 @@ go.elastic.co/fastjson v1.3.0 h1:hJO3OsYIhiqiT4Fgu0ZxAECnKASbwgiS+LMW5oCopKs=
go.elastic.co/fastjson v1.3.0/go.mod h1:K9vDh7O0ODsVKV2B5e2XYLY277QZaCbB3tS1SnARvko=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
-go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
-go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
-golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk=
-golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -324,8 +334,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
-gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
+gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
@@ -335,8 +345,8 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
-google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -363,33 +373,37 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-k8s.io/api v0.32.9 h1:q/59kk8lnecgG0grJqzrmXC1Jcl2hPWp9ltz0FQuoLI=
-k8s.io/api v0.32.9/go.mod h1:jIfT3rwW4EU1IXZm9qjzSk/2j91k4CJL5vUULrxqp3Y=
-k8s.io/apiextensions-apiserver v0.32.9 h1:tpT1dUgWqEsTyrdoGckyw8OBASW1JfU08tHGaYBzFHY=
-k8s.io/apiextensions-apiserver v0.32.9/go.mod h1:FoCi4zCLK67LNCCssFa2Wr9q4Xbvjx7MW4tdze5tpoA=
-k8s.io/apimachinery v0.32.9 h1:fXk8ktfsxrdThaEOAQFgkhCK7iyoyvS8nbYJ83o/SSs=
-k8s.io/apimachinery v0.32.9/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/apiserver v0.32.9 h1:ONHLA/VB6U7s0skCzmyLnjQdJ5FPCQF08yBI0j7y84o=
-k8s.io/apiserver v0.32.9/go.mod h1:MuuqNdvkneD4kcQc5mUZQCOQYzfKMba6P36bVW+wZtI=
-k8s.io/client-go v0.32.9 h1:ZMyIQ1TEpTDAQni3L2gH1NZzyOA/gHfNcAazzCxMJ0c=
-k8s.io/client-go v0.32.9/go.mod h1:2OT8aFSYvUjKGadaeT+AVbhkXQSpMAkiSb88Kz2WggI=
+k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8=
+k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE=
+k8s.io/apiextensions-apiserver v0.33.3 h1:qmOcAHN6DjfD0v9kxL5udB27SRP6SG/MTopmge3MwEs=
+k8s.io/apiextensions-apiserver v0.33.3/go.mod h1:oROuctgo27mUsyp9+Obahos6CWcMISSAPzQ77CAQGz8=
+k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
+k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apiserver v0.33.3 h1:Wv0hGc+QFdMJB4ZSiHrCgN3zL3QRatu56+rpccKC3J4=
+k8s.io/apiserver v0.33.3/go.mod h1:05632ifFEe6TxwjdAIrwINHWE2hLwyADFk5mBsQa15E=
+k8s.io/client-go v0.33.3 h1:M5AfDnKfYmVJif92ngN532gFqakcGi6RvaOF16efrpA=
+k8s.io/client-go v0.33.3/go.mod h1:luqKBQggEf3shbxHY4uVENAxrDISLOarxpTKMiUuujg=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-aggregator v0.32.9 h1:hDGfZTEKmBCQqTy9wcTOCa0wc6IpxfrXLt7GKCvh1oY=
k8s.io/kube-aggregator v0.32.9/go.mod h1:3CdPoAjB2tRm9Gn8fjaDAeuv6zKujm3aSfdmILBWPTk=
-k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 h1:hcha5B1kVACrLujCKLbr8XWMxCxzQx42DY8QKYJrDLg=
-k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7/go.mod h1:GewRfANuJ70iYzvn+i4lezLDAFzvjxZYK1gn1lWcfas=
-k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
-k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.20.2 h1:/439OZVxoEc02psi1h4QO3bHzTgu49bb347Xp4gW1pc=
-sigs.k8s.io/controller-runtime v0.20.2/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
-sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM=
-sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
+k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
+k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
+sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/gateway-api v1.3.1-0.20250527223622-54df0a899c1c h1:GS4VnGRV90GEUjrgQ2GT5ii6yzWj3KtgUg+sVMdhs5c=
+sigs.k8s.io/gateway-api v1.3.1-0.20250527223622-54df0a899c1c/go.mod h1:d8NV8nJbaRbEKem+5IuxkL8gJGOZ+FJ+NvOIltV8gDk=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/kind v0.24.0 h1:g4y4eu0qa+SCeKESLpESgMmVFBebL0BDa6f777OIWrg=
-sigs.k8s.io/kind v0.24.0/go.mod h1:t7ueEpzPYJvHA8aeLtI52rtFftNgUYUaCwvxjk7phfw=
-sigs.k8s.io/structured-merge-diff/v4 v4.5.0 h1:nbCitCK2hfnhyiKo6uf2HxUPTCodY6Qaf85SbDIaMBk=
-sigs.k8s.io/structured-merge-diff/v4 v4.5.0/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
-sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/kind v0.29.0 h1:3TpCsyh908IkXXpcSnsMjWdwdWjIl7o9IMZImZCWFnI=
+sigs.k8s.io/kind v0.29.0/go.mod h1:ldWQisw2NYyM6k64o/tkZng/1qQW7OlzcN5a8geJX3o=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
diff --git a/pkg/controller/compliance/compliance_controller_test.go b/pkg/controller/compliance/compliance_controller_test.go
index 754d86b48b..c7f13e6e90 100644
--- a/pkg/controller/compliance/compliance_controller_test.go
+++ b/pkg/controller/compliance/compliance_controller_test.go
@@ -1,10 +1,10 @@
-// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2026 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
-// http://www.apache.org/licenses/LICENSE-2.0
+// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
@@ -155,7 +155,7 @@ var _ = Describe("Compliance controller tests", func() {
By("reconciling when clustertype is Standalone")
result, err := r.Reconcile(ctx, reconcile.Request{})
Expect(err).NotTo(HaveOccurred())
- Expect(result.Requeue).NotTo(BeTrue())
+ Expect(result.RequeueAfter).To(Equal(0 * time.Second))
dpl := appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{},
@@ -193,7 +193,7 @@ var _ = Describe("Compliance controller tests", func() {
By("reconciling when clustertype is Standalone")
result, err := r.Reconcile(ctx, reconcile.Request{})
Expect(err).NotTo(HaveOccurred())
- Expect(result.Requeue).NotTo(BeTrue())
+ Expect(result.RequeueAfter).To(Equal(0 * time.Second))
By("replacing the server certs with user-supplied certs")
Expect(c.Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{
@@ -222,7 +222,7 @@ var _ = Describe("Compliance controller tests", func() {
By("checking that an error occurred and the cert didn't change")
result, err = r.Reconcile(ctx, reconcile.Request{})
Expect(err).NotTo(HaveOccurred())
- Expect(result.Requeue).NotTo(BeTrue())
+ Expect(result.RequeueAfter).To(Equal(0 * time.Second))
assertExpectedCertDNSNames(c, oldDNSNames...)
})
@@ -230,7 +230,7 @@ var _ = Describe("Compliance controller tests", func() {
By("reconciling when clustertype is Standalone")
result, err := r.Reconcile(ctx, reconcile.Request{})
Expect(err).NotTo(HaveOccurred())
- Expect(result.Requeue).NotTo(BeTrue())
+ Expect(result.RequeueAfter).To(Equal(0 * time.Second))
By("replacing the server certs with ones that include the expected DNS names")
Expect(c.Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{
@@ -259,7 +259,7 @@ var _ = Describe("Compliance controller tests", func() {
By("checking that an error occurred and the cert didn't change")
result, err = r.Reconcile(ctx, reconcile.Request{})
Expect(err).NotTo(HaveOccurred())
- Expect(result.Requeue).NotTo(BeTrue())
+ Expect(result.RequeueAfter).To(Equal(0 * time.Second))
assertExpectedCertDNSNames(c, dnsNames...)
})
@@ -296,7 +296,7 @@ var _ = Describe("Compliance controller tests", func() {
By("reconciling when clustertype is Standalone")
result, err := r.Reconcile(ctx, reconcile.Request{})
Expect(err).NotTo(HaveOccurred())
- Expect(result.Requeue).NotTo(BeTrue())
+ Expect(result.RequeueAfter).To(Equal(0 * time.Second))
By("creating a compliance-server deployment")
dpl := appsv1.Deployment{
diff --git a/pkg/crds/operator/operator.tigera.io_apiservers.yaml b/pkg/crds/operator/operator.tigera.io_apiservers.yaml
index 02b5c8bf8c..afe8dc9263 100644
--- a/pkg/crds/operator/operator.tigera.io_apiservers.yaml
+++ b/pkg/crds/operator/operator.tigera.io_apiservers.yaml
@@ -407,7 +407,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -422,7 +421,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -592,7 +590,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -607,7 +604,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -776,7 +772,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -791,7 +786,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -961,7 +955,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -976,7 +969,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1435,7 +1427,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -1445,7 +1436,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/pkg/crds/operator/operator.tigera.io_egressgateways.yaml b/pkg/crds/operator/operator.tigera.io_egressgateways.yaml
index 07a701f212..d75294aa21 100644
--- a/pkg/crds/operator/operator.tigera.io_egressgateways.yaml
+++ b/pkg/crds/operator/operator.tigera.io_egressgateways.yaml
@@ -510,7 +510,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -525,7 +524,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -693,7 +691,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -708,7 +705,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -874,7 +870,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -889,7 +884,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1057,7 +1051,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1072,7 +1065,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1497,7 +1489,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -1507,7 +1498,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml b/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml
index 37cae7d558..810e4a74d0 100644
--- a/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml
+++ b/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml
@@ -418,7 +418,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -433,7 +432,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -603,7 +601,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -618,7 +615,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -787,7 +783,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -802,7 +797,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -972,7 +966,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -987,7 +980,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1564,7 +1556,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1579,7 +1570,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1749,7 +1739,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1764,7 +1753,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1933,7 +1921,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1948,7 +1935,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2118,7 +2104,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2133,7 +2118,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2725,7 +2709,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2740,7 +2723,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2910,7 +2892,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2925,7 +2906,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3094,7 +3074,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3109,7 +3088,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3279,7 +3257,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3294,7 +3271,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3618,7 +3594,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -3628,7 +3603,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/pkg/crds/operator/operator.tigera.io_goldmanes.yaml b/pkg/crds/operator/operator.tigera.io_goldmanes.yaml
index 879d83d96d..f1b163e9ff 100644
--- a/pkg/crds/operator/operator.tigera.io_goldmanes.yaml
+++ b/pkg/crds/operator/operator.tigera.io_goldmanes.yaml
@@ -442,7 +442,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -457,7 +456,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -627,7 +625,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -642,7 +639,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -811,7 +807,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -826,7 +821,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -996,7 +990,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1011,7 +1004,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1351,7 +1343,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -1361,7 +1352,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/pkg/crds/operator/operator.tigera.io_installations.yaml b/pkg/crds/operator/operator.tigera.io_installations.yaml
index 02be1f41f9..29d28286ca 100644
--- a/pkg/crds/operator/operator.tigera.io_installations.yaml
+++ b/pkg/crds/operator/operator.tigera.io_installations.yaml
@@ -425,7 +425,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -440,7 +439,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -610,7 +608,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -625,7 +622,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -794,7 +790,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -809,7 +804,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -979,7 +973,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -994,7 +987,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1832,7 +1824,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1847,7 +1838,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2017,7 +2007,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2032,7 +2021,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2201,7 +2189,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2216,7 +2203,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2386,7 +2372,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2401,7 +2386,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3077,7 +3061,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3092,7 +3075,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3262,7 +3244,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3277,7 +3258,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3446,7 +3426,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3461,7 +3440,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3631,7 +3609,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3646,7 +3623,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4323,7 +4299,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4338,7 +4313,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4508,7 +4482,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4523,7 +4496,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4692,7 +4664,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4707,7 +4678,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4877,7 +4847,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4892,7 +4861,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5709,7 +5677,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5724,7 +5691,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5894,7 +5860,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5909,7 +5874,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -6078,7 +6042,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -6093,7 +6056,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -6263,7 +6225,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -6278,7 +6239,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7338,7 +7298,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7353,7 +7312,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7523,7 +7481,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7538,7 +7495,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7707,7 +7663,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7722,7 +7677,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7892,7 +7846,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7907,7 +7860,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -8343,7 +8295,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -8353,7 +8304,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
@@ -8851,7 +8801,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -8866,7 +8815,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -9038,7 +8986,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -9053,7 +9000,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -9225,7 +9171,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -9240,7 +9185,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -9412,7 +9356,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -9427,7 +9370,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10275,7 +10217,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10290,7 +10231,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10462,7 +10402,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10477,7 +10416,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10649,7 +10587,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10664,7 +10601,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10836,7 +10772,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -10851,7 +10786,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -11535,7 +11469,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -11550,7 +11483,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -11722,7 +11654,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -11737,7 +11668,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -11909,7 +11839,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -11924,7 +11853,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -12096,7 +12024,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -12111,7 +12038,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -12796,7 +12722,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -12811,7 +12736,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -12983,7 +12907,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -12998,7 +12921,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -13170,7 +13092,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -13185,7 +13106,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -13357,7 +13277,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -13372,7 +13291,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14201,7 +14119,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14216,7 +14133,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14388,7 +14304,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14403,7 +14318,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14575,7 +14489,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14590,7 +14503,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14762,7 +14674,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -14777,7 +14688,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -15846,7 +15756,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -15861,7 +15770,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16033,7 +15941,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16048,7 +15955,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16220,7 +16126,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16235,7 +16140,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16407,7 +16311,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16422,7 +16325,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -16861,7 +16763,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -16871,7 +16772,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/pkg/crds/operator/operator.tigera.io_tenants.yaml b/pkg/crds/operator/operator.tigera.io_tenants.yaml
index ab34e7923a..d80f85d35c 100644
--- a/pkg/crds/operator/operator.tigera.io_tenants.yaml
+++ b/pkg/crds/operator/operator.tigera.io_tenants.yaml
@@ -523,7 +523,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -538,7 +537,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -708,7 +706,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -723,7 +720,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -892,7 +888,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -907,7 +902,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1077,7 +1071,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1092,7 +1085,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
diff --git a/pkg/crds/operator/operator.tigera.io_whiskers.yaml b/pkg/crds/operator/operator.tigera.io_whiskers.yaml
index 0b41781105..a16774cd1a 100644
--- a/pkg/crds/operator/operator.tigera.io_whiskers.yaml
+++ b/pkg/crds/operator/operator.tigera.io_whiskers.yaml
@@ -448,7 +448,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -463,7 +462,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -633,7 +631,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -648,7 +645,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -817,7 +813,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -832,7 +827,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1002,7 +996,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1017,7 +1010,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1358,7 +1350,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -1368,7 +1359,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/pkg/render/gateway_api.go b/pkg/render/gateway_api.go
index 506f072ef6..435666b88a 100644
--- a/pkg/render/gateway_api.go
+++ b/pkg/render/gateway_api.go
@@ -27,6 +27,8 @@ import (
rcomp "github.com/tigera/operator/pkg/render/common/components"
rmeta "github.com/tigera/operator/pkg/render/common/meta"
"github.com/tigera/operator/pkg/render/common/secret"
+
+ admissionregv1 "k8s.io/api/admissionregistration/v1"
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
@@ -51,24 +53,25 @@ type yamlKind struct {
// This struct defines all of the resources that we expect to read from the rendered Envoy Gateway
// helm chart (as of the version indicated by `ENVOY_GATEWAY_VERSION` in `Makefile`).
type gatewayAPIResources struct {
- namespace *corev1.Namespace
- k8sCRDs []*apiextenv1.CustomResourceDefinition
- envoyCRDs []*apiextenv1.CustomResourceDefinition
- controllerServiceAccount *corev1.ServiceAccount
- envoyGatewayConfigMap *corev1.ConfigMap
- envoyGatewayConfig *envoyapi.EnvoyGateway
- clusterRole *rbacv1.ClusterRole
- clusterRoleBinding *rbacv1.ClusterRoleBinding
- role *rbacv1.Role
- roleBinding *rbacv1.RoleBinding
- leaderElectionRole *rbacv1.Role
- leaderElectionRoleBinding *rbacv1.RoleBinding
- controllerService *corev1.Service
- controllerDeployment *appsv1.Deployment
- certgenServiceAccount *corev1.ServiceAccount
- certgenRole *rbacv1.Role
- certgenRoleBinding *rbacv1.RoleBinding
- certgenJob *batchv1.Job
+ namespace *corev1.Namespace
+ k8sCRDs []*apiextenv1.CustomResourceDefinition
+ envoyCRDs []*apiextenv1.CustomResourceDefinition
+ controllerServiceAccount *corev1.ServiceAccount
+ envoyGatewayConfigMap *corev1.ConfigMap
+ envoyGatewayConfig *envoyapi.EnvoyGateway
+ clusterRoles []*rbacv1.ClusterRole
+ clusterRoleBindings []*rbacv1.ClusterRoleBinding
+ role *rbacv1.Role
+ roleBinding *rbacv1.RoleBinding
+ leaderElectionRole *rbacv1.Role
+ leaderElectionRoleBinding *rbacv1.RoleBinding
+ controllerService *corev1.Service
+ controllerDeployment *appsv1.Deployment
+ certgenServiceAccount *corev1.ServiceAccount
+ certgenRole *rbacv1.Role
+ certgenRoleBinding *rbacv1.RoleBinding
+ certgenJob *batchv1.Job
+ mutatingWebhookConfigurations []*admissionregv1.MutatingWebhookConfiguration
}
const (
@@ -109,7 +112,7 @@ func GatewayAPIResourcesGetter() func() *gatewayAPIResources {
if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err))
}
- if strings.HasSuffix(obj.Name, ".gateway.networking.k8s.io") {
+ if strings.HasSuffix(obj.Name, ".gateway.networking.k8s.io") || strings.HasSuffix(obj.Name, ".gateway.networking.x-k8s.io") {
resources.k8sCRDs = append(resources.k8sCRDs, obj)
} else if strings.HasSuffix(obj.Name, ".gateway.envoyproxy.io") {
resources.envoyCRDs = append(resources.envoyCRDs, obj)
@@ -149,21 +152,17 @@ func GatewayAPIResourcesGetter() func() *gatewayAPIResources {
panic("can't unmarshal EnvoyGateway from envoy-gateway-config ConfigMap from gateway API YAML")
}
case "rbac.authorization.k8s.io/v1/ClusterRole":
- if resources.clusterRole != nil {
- panic("already read a ClusterRole from gateway API YAML")
- }
- resources.clusterRole = &rbacv1.ClusterRole{}
- if err := yaml.Unmarshal([]byte(yml), resources.clusterRole); err != nil {
+ obj := &rbacv1.ClusterRole{}
+ if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err))
}
+ resources.clusterRoles = append(resources.clusterRoles, obj)
case "rbac.authorization.k8s.io/v1/ClusterRoleBinding":
- if resources.clusterRoleBinding != nil {
- panic("already read a ClusterRoleBinding from gateway API YAML")
- }
- resources.clusterRoleBinding = &rbacv1.ClusterRoleBinding{}
- if err := yaml.Unmarshal([]byte(yml), resources.clusterRoleBinding); err != nil {
+ obj := &rbacv1.ClusterRoleBinding{}
+ if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err))
}
+ resources.clusterRoleBindings = append(resources.clusterRoleBindings, obj)
case "rbac.authorization.k8s.io/v1/Role":
obj := &rbacv1.Role{}
if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
@@ -230,6 +229,12 @@ func GatewayAPIResourcesGetter() func() *gatewayAPIResources {
if err := yaml.Unmarshal([]byte(yml), resources.certgenJob); err != nil {
panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err))
}
+ case "admissionregistration.k8s.io/v1/MutatingWebhookConfiguration":
+ obj := &admissionregv1.MutatingWebhookConfiguration{}
+ if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
+ panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err))
+ }
+ resources.mutatingWebhookConfigurations = append(resources.mutatingWebhookConfigurations, obj)
case "/":
// No-op. We see this when there is only a comment between
// two "---" delimiters.
@@ -242,8 +247,8 @@ func GatewayAPIResourcesGetter() func() *gatewayAPIResources {
if resources.namespace == nil {
panic("missing Namespace from gateway API YAML")
}
- if len(resources.k8sCRDs) != 10 {
- panic(fmt.Sprintf("missing/extra k8s CRDs from gateway API YAML (%v != 10)", len(resources.k8sCRDs)))
+ if len(resources.k8sCRDs) != 11 {
+ panic(fmt.Sprintf("missing/extra k8s CRDs from gateway API YAML (%v != 11)", len(resources.k8sCRDs)))
}
if len(resources.envoyCRDs) != 8 {
panic(fmt.Sprintf("missing/extra envoy CRDs from gateway API YAML (%v != 8)", len(resources.envoyCRDs)))
@@ -254,10 +259,10 @@ func GatewayAPIResourcesGetter() func() *gatewayAPIResources {
if resources.envoyGatewayConfig == nil {
panic("missing envoy-gateway-config from gateway API YAML")
}
- if resources.clusterRole == nil {
+ if len(resources.clusterRoles) == 0 {
panic("missing ClusterRole from gateway API YAML")
}
- if resources.clusterRoleBinding == nil {
+ if len(resources.clusterRoleBindings) == 0 {
panic("missing ClusterRoleBinding from gateway API YAML")
}
if resources.role == nil {
@@ -411,8 +416,21 @@ func (pr *gatewayAPIImplementationComponent) Objects() ([]client.Object, []clien
// Add all the non-CRD resources, read from YAML, that we can apply without any tweaking.
for _, resource := range []client.Object{
resources.controllerServiceAccount,
- resources.clusterRole,
- resources.clusterRoleBinding,
+ } {
+ // But deep-copy each one so as not to inadvertently modify the cache inside
+ // `GatewayAPIResourcesGetter`.
+ objs = append(objs, resource.DeepCopyObject().(client.Object))
+ }
+ for _, cr := range resources.clusterRoles {
+ objs = append(objs, cr.DeepCopyObject().(client.Object))
+ }
+ for _, crb := range resources.clusterRoleBindings {
+ objs = append(objs, crb.DeepCopyObject().(client.Object))
+ }
+ for _, mwc := range resources.mutatingWebhookConfigurations {
+ objs = append(objs, mwc.DeepCopyObject().(client.Object))
+ }
+ for _, resource := range []client.Object{
resources.role,
resources.roleBinding,
resources.leaderElectionRole,
diff --git a/pkg/render/gateway_api_resources.yaml b/pkg/render/gateway_api_resources.yaml
index 856899f7e5..3bf5c21790 100644
--- a/pkg/render/gateway_api_resources.yaml
+++ b/pkg/render/gateway_api_resources.yaml
@@ -5,7 +5,7 @@ metadata:
name: tigera-gateway
---
# Source: crds/gatewayapi-crds.yaml
-# Copyright 2024 The Kubernetes Authors.
+# Copyright 2025 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,507 +24,6 @@ metadata:
#
---
#
-# config/crd/experimental/gateway.networking.k8s.io_backendlbpolicies.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
- gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- labels:
- gateway.networking.k8s.io/policy: Direct
- name: backendlbpolicies.gateway.networking.k8s.io
-spec:
- group: gateway.networking.k8s.io
- names:
- categories:
- - gateway-api
- kind: BackendLBPolicy
- listKind: BackendLBPolicyList
- plural: backendlbpolicies
- shortNames:
- - blbpolicy
- singular: backendlbpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- description: |-
- BackendLBPolicy provides a way to define load balancing rules
- for a backend.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of BackendLBPolicy.
- properties:
- sessionPersistence:
- description: |-
- SessionPersistence defines and configures session persistence
- for the backend.
-
- Support: Extended
- properties:
- absoluteTimeout:
- description: |-
- AbsoluteTimeout defines the absolute timeout of the persistent
- session. Once the AbsoluteTimeout duration has elapsed, the
- session becomes invalid.
-
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- cookieConfig:
- description: |-
- CookieConfig provides configuration settings that are specific
- to cookie-based session persistence.
-
- Support: Core
- properties:
- lifetimeType:
- default: Session
- description: |-
- LifetimeType specifies whether the cookie has a permanent or
- session-based lifetime. A permanent cookie persists until its
- specified expiry time, defined by the Expires or Max-Age cookie
- attributes, while a session cookie is deleted when the current
- session ends.
-
- When set to "Permanent", AbsoluteTimeout indicates the
- cookie's lifetime via the Expires or Max-Age cookie attributes
- and is required.
-
- When set to "Session", AbsoluteTimeout indicates the
- absolute lifetime of the cookie tracked by the gateway and
- is optional.
-
- Support: Core for "Session" type
-
- Support: Extended for "Permanent" type
- enum:
- - Permanent
- - Session
- type: string
- type: object
- idleTimeout:
- description: |-
- IdleTimeout defines the idle timeout of the persistent session.
- Once the session has been idle for more than the specified
- IdleTimeout duration, the session becomes invalid.
-
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- sessionName:
- description: |-
- SessionName defines the name of the persistent session token
- which may be reflected in the cookie or the header. Users
- should avoid reusing session names to prevent unintended
- consequences, such as rejection or unpredictable behavior.
-
- Support: Implementation-specific
- maxLength: 128
- type: string
- type:
- default: Cookie
- description: |-
- Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
- persistence.
-
- Support: Core for "Cookie" type
-
- Support: Extended for "Header" type
- enum:
- - Cookie
- - Header
- type: string
- type: object
- x-kubernetes-validations:
- - message: AbsoluteTimeout must be specified when cookie lifetimeType
- is Permanent
- rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
- || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
- targetRefs:
- description: |-
- TargetRef identifies an API object to apply policy to.
- Currently, Backends (i.e. Service, ServiceImport, or any
- implementation-specific backendRef) are the only valid API
- target references.
- items:
- description: |-
- LocalPolicyTargetReference identifies an API object to apply a direct or
- inherited policy to. This should be used as part of Policy resources
- that can target Gateway API resources. For more information on how this
- policy attachment model works, and a sample Policy resource, refer to
- the policy attachment documentation for Gateway API.
- properties:
- group:
- description: Group is the group of the target resource.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the target resource.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the target resource.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 16
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - group
- - kind
- - name
- x-kubernetes-list-type: map
- required:
- - targetRefs
- type: object
- status:
- description: Status defines the current state of BackendLBPolicy.
- properties:
- ancestors:
- description: |-
- Ancestors is a list of ancestor resources (usually Gateways) that are
- associated with the policy, and the status of the policy with respect to
- each ancestor. When this policy attaches to a parent, the controller that
- manages the parent and the ancestors MUST add an entry to this list when
- the controller first sees the policy and SHOULD update the entry as
- appropriate when the relevant ancestor is modified.
-
- Note that choosing the relevant ancestor is left to the Policy designers;
- an important part of Policy design is designing the right object level at
- which to namespace this status.
-
- Note also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations MUST
- use the ControllerName field to uniquely identify the entries in this list
- that they are responsible for.
-
- Note that to achieve this, the list of PolicyAncestorStatus structs
- MUST be treated as a map with a composite key, made up of the AncestorRef
- and ControllerName fields combined.
-
- A maximum of 16 ancestors will be represented in this list. An empty list
- means the Policy is not relevant for any ancestors.
-
- If this slice is full, implementations MUST NOT add further entries.
- Instead they MUST consider the policy unimplementable and signal that
- on any related resources such as the ancestor that would be referenced
- here. For example, if this list was full on BackendTLSPolicy, no
- additional Gateways would be able to reference the Service targeted by
- the BackendTLSPolicy.
- items:
- description: |-
- PolicyAncestorStatus describes the status of a route with respect to an
- associated Ancestor.
-
- Ancestors refer to objects that are either the Target of a policy or above it
- in terms of object hierarchy. For example, if a policy targets a Service, the
- Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
- the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
- useful object to place Policy status on, so we recommend that implementations
- SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise.
-
- In the context of policy attachment, the Ancestor is used to distinguish which
- resource results in a distinct application of this policy. For example, if a policy
- targets a Service, it may have a distinct result per attached Gateway.
-
- Policies targeting the same resource may have different effects depending on the
- ancestors of those resources. For example, different Gateways targeting the same
- Service may have different capabilities, especially if they have different underlying
- implementations.
-
- For example, in BackendTLSPolicy, the Policy attaches to a Service that is
- used as a backend in a HTTPRoute that is itself attached to a Gateway.
- In this case, the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status.
-
- Note that a parent is also an ancestor, so for objects where the parent is the
- relevant object for status, this struct SHOULD still be used.
-
- This struct is intended to be used in a slice that's effectively a map,
- with a composite key made up of the AncestorRef and the ControllerName.
- properties:
- ancestorRef:
- description: |-
- AncestorRef corresponds with a ParentRef in the spec that this
- PolicyAncestorStatus struct describes the status of.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
-
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
-
- There are two kinds of parent resources with "Core" support:
-
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
-
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
-
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
-
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
-
-
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
-
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
-
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
-
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
-
-
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
-
-
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
-
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
-
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
-
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
-
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
-
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
-
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- conditions:
- description: Conditions describes the status of the Policy with
- respect to the given Ancestor.
- items:
- description: Condition contains details for one aspect of
- the current state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- controllerName:
- description: |-
- ControllerName is a domain/path string that indicates the name of the
- controller that wrote this status. This corresponds with the
- controllerName field on GatewayClass.
-
- Example: "example.net/gateway-controller".
-
- The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
- valid Kubernetes names
- (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
-
- Controllers MUST populate this field when writing status. Controllers should ensure that
- entries to status populated with their ControllerName are cleaned up when they are no
- longer necessary.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- required:
- - ancestorRef
- - controllerName
- type: object
- maxItems: 16
- type: array
- required:
- - ancestors
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
# config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
#
apiVersion: apiextensions.k8s.io/v1
@@ -532,7 +31,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
@@ -614,6 +113,14 @@ spec:
by default, but this default may change in the future to provide
a more granular application of the policy.
+ TargetRefs must be _distinct_. This means either that:
+
+ * They select different targets. If this is the case, then targetRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, and `name` must
+ be unique across all targetRef entries in the BackendTLSPolicy.
+ * They select different sectionNames in the same target.
+
Support: Extended for Kubernetes Service
Support: Implementation-specific for any other resource
@@ -670,6 +177,20 @@ spec:
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when targetRefs includes
+ 2 or more references to the same target
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName
+ == '''') == (!has(p2.sectionName) || p2.sectionName == ''''))
+ : true))'
+ - message: sectionName must be unique when targetRefs includes 2 or
+ more references to the same target
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) ||
+ p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
validation:
description: Validation contains backend TLS validation configuration.
properties:
@@ -681,7 +202,7 @@ spec:
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
- not both. If CACertifcateRefs is empty or unspecified, the configuration for
+ not both. If CACertificateRefs is empty or unspecified, the configuration for
WellKnownCACertificates MUST be honored instead if supported by the implementation.
References to a resource in a different namespace are invalid for the
@@ -739,7 +260,7 @@ spec:
backends:
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
- 2. If SubjectAltNames is not specified, Hostname MUST be used for
+ 2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified.
authentication and MUST match the certificate served by the matching
backend.
@@ -751,10 +272,10 @@ spec:
subjectAltNames:
description: |-
SubjectAltNames contains one or more Subject Alternative Names.
- When specified, the certificate served from the backend MUST have at least one
- Subject Alternate Name matching one of the specified SubjectAltNames.
+ When specified the certificate served from the backend MUST
+ have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
- Support: Core
+ Support: Extended
items:
description: SubjectAltName represents Subject Alternative Name.
properties:
@@ -1161,7 +682,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gatewayclasses.gateway.networking.k8s.io
@@ -1396,7 +917,7 @@ spec:
- type
x-kubernetes-list-type: map
supportedFeatures:
- description: |
+ description: |-
SupportedFeatures is the set of features the GatewayClass support.
It MUST be sorted in ascending alphabetical order by the Name key.
items:
@@ -1640,7 +1161,7 @@ spec:
- type
x-kubernetes-list-type: map
supportedFeatures:
- description: |
+ description: |-
SupportedFeatures is the set of features the GatewayClass support.
It MUST be sorted in ascending alphabetical order by the Name key.
items:
@@ -1681,7 +1202,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gateways.gateway.networking.k8s.io
@@ -1739,7 +1260,7 @@ spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
- description: |+
+ description: |-
Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
@@ -1760,10 +1281,9 @@ spec:
GatewayStatus.Addresses.
Support: Extended
-
items:
- description: GatewayAddress describes an address that can be bound
- to a Gateway.
+ description: GatewaySpecAddress describes an address that can be
+ bound to a Gateway.
oneOf:
- properties:
type:
@@ -1788,15 +1308,15 @@ spec:
type: string
value:
description: |-
- Value of the address. The validity of the values will depend
- on the type and support by the controller.
+ When a value is unspecified, an implementation SHOULD automatically
+ assign an address matching the requested type if possible.
+
+ If an implementation does not support an empty value, they MUST set the
+ "Programmed" condition in status to False with a reason of "AddressNotAssigned".
Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
maxLength: 253
- minLength: 1
type: string
- required:
- - value
type: object
x-kubernetes-validations:
- message: Hostname value must only contain valid characters (matching
@@ -1812,16 +1332,96 @@ spec:
- message: Hostname values must be unique
rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
+ allowedListeners:
+ description: |-
+ AllowedListeners defines which ListenerSets can be attached to this Gateway.
+ While this feature is experimental, the default value is to allow no ListenerSets.
+ properties:
+ namespaces:
+ default:
+ from: None
+ description: |-
+ Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+ While this feature is experimental, the default value is to allow no ListenerSets.
+ properties:
+ from:
+ default: None
+ description: |-
+ From indicates where ListenerSets can attach to this Gateway. Possible
+ values are:
+
+ * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+ * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+ * All: ListenerSets in all namespaces may be attached to this Gateway.
+ * None: Only listeners defined in the Gateway's spec are allowed
+
+ While this feature is experimental, the default value None
+ enum:
+ - All
+ - Selector
+ - Same
+ - None
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only ListenerSets in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
backendTLS:
- description: |+
+ description: |-
BackendTLS configures TLS settings for when this Gateway is connecting to
backends with TLS.
Support: Core
-
properties:
clientCertificateRef:
- description: |+
+ description: |-
ClientCertificateRef is a reference to an object that contains a Client
Certificate and the associated private key.
@@ -1837,7 +1437,6 @@ spec:
This setting can be overridden on the service level by use of BackendTLSPolicy.
Support: Core
-
properties:
group:
default: ""
@@ -1972,6 +1571,11 @@ spec:
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the Gateway SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
Support: Implementation-specific
properties:
group:
@@ -2002,6 +1606,8 @@ spec:
logical endpoints that are bound on this Gateway's addresses.
At least one Listener MUST be specified.
+ ## Distinct Listeners
+
Each Listener in a set of Listeners (for example, in a single Gateway)
MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
exactly one listener. (This section uses "set of Listeners" rather than
@@ -2013,55 +1619,76 @@ spec:
combination of Port, Protocol, and, if supported by the protocol, Hostname.
Some combinations of port, protocol, and TLS settings are considered
- Core support and MUST be supported by implementations based on their
- targeted conformance profile:
+ Core support and MUST be supported by implementations based on the objects
+ they support:
- HTTP Profile
+ HTTPRoute
1. HTTPRoute, Port: 80, Protocol: HTTP
2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
- TLS Profile
+ TLSRoute
1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
"Distinct" Listeners have the following property:
- The implementation can match inbound requests to a single distinct
- Listener. When multiple Listeners share values for fields (for
+ **The implementation can match inbound requests to a single distinct
+ Listener**.
+
+ When multiple Listeners share values for fields (for
example, two Listeners with the same Port value), the implementation
can match requests to only one of the Listeners using other
Listener fields.
- For example, the following Listener scenarios are distinct:
+ When multiple listeners have the same value for the Protocol field, then
+ each of the Listeners with matching Protocol values MUST have different
+ values for other fields.
+
+ The set of fields that MUST be different for a Listener differs per protocol.
+ The following rules define the rules for what fields MUST be considered for
+ Listeners to be distinct with each protocol currently defined in the
+ Gateway API spec.
+
+ The set of listeners that all share a protocol value MUST have _different_
+ values for _at least one_ of these fields to be distinct:
+
+ * **HTTP, HTTPS, TLS**: Port, Hostname
+ * **TCP, UDP**: Port
+
+ One **very** important rule to call out involves what happens when an
+ implementation:
- 1. Multiple Listeners with the same Port that all use the "HTTP"
- Protocol that all have unique Hostname values.
- 2. Multiple Listeners with the same Port that use either the "HTTPS" or
- "TLS" Protocol that all have unique Hostname values.
- 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
- with the same Protocol has the same Port value.
+ * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+ Listeners, and
+ * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+ Protocol.
- Some fields in the Listener struct have possible values that affect
- whether the Listener is distinct. Hostname is particularly relevant
- for HTTP or HTTPS protocols.
+ In this case all the Listeners that share a port with the
+ TCP Listener are not distinct and so MUST NOT be accepted.
- When using the Hostname value to select between same-Port, same-Protocol
- Listeners, the Hostname value must be different on each Listener for the
- Listener to be distinct.
+ If an implementation does not support TCP Protocol Listeners, then the
+ previous rule does not apply, and the TCP Listeners SHOULD NOT be
+ accepted.
- When the Listeners are distinct based on Hostname, inbound request
+ Note that the `tls` field is not used for determining if a listener is distinct, because
+ Listeners that _only_ differ on TLS config will still conflict in all cases.
+
+ ### Listeners that are distinct only by Hostname
+
+ When the Listeners are distinct based only on Hostname, inbound request
hostnames MUST match from the most specific to least specific Hostname
values to choose the correct Listener and its associated set of Routes.
- Exact matches must be processed before wildcard matches, and wildcard
- matches must be processed before fallback (empty Hostname value)
+ Exact matches MUST be processed before wildcard matches, and wildcard
+ matches MUST be processed before fallback (empty Hostname value)
matches. For example, `"foo.example.com"` takes precedence over
`"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+
The precise definition here is that the higher the number of dots in the
hostname to the right of the wildcard character, the higher the precedence.
@@ -2069,18 +1696,26 @@ spec:
the left, however, so `"*.example.com"` will match both
`"foo.bar.example.com"` _and_ `"bar.example.com"`.
+ ## Handling indistinct Listeners
+
If a set of Listeners contains Listeners that are not distinct, then those
- Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
condition in the Listener Status to "True".
+ The words "indistinct" and "conflicted" are considered equivalent for the
+ purpose of this documentation.
+
Implementations MAY choose to accept a Gateway with some Conflicted
Listeners only if they only accept the partial Listener set that contains
- no Conflicted Listeners. To put this another way, implementations may
- accept a partial Listener set only if they throw out *all* the conflicting
- Listeners. No picking one of the conflicting listeners as the winner.
- This also means that the Gateway must have at least one non-conflicting
- Listener in this case, otherwise it violates the requirement that at
- least one Listener must be present.
+ no Conflicted Listeners.
+
+ Specifically, an implementation MAY accept a partial Listener set subject to
+ the following rules:
+
+ * The implementation MUST NOT pick one conflicting Listener as the winner.
+ ALL indistinct Listeners must not be accepted for processing.
+ * At least one distinct Listener MUST be present, or else the Gateway effectively
+ contains _no_ Listeners, and must be rejected from processing as a whole.
The implementation MUST set a "ListenersNotValid" condition on the
Gateway Status when the Gateway contains Conflicted Listeners whether or
@@ -2089,7 +1724,25 @@ spec:
Accepted. Additionally, the Listener status for those listeners SHOULD
indicate which Listeners are conflicted and not Accepted.
- A Gateway's Listeners are considered "compatible" if:
+ ## General Listener behavior
+
+ Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+ For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+
+ This concept is known as "Listener Isolation", and it is an Extended feature
+ of Gateway API. Implementations that do not support Listener Isolation MUST
+ clearly document this, and MUST NOT claim support for the
+ `GatewayHTTPListenerIsolation` feature.
+
+ Implementations that _do_ support Listener Isolation SHOULD claim support
+ for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+ conformance tests.
+
+ ## Compatible Listeners
+
+ A Gateway's Listeners are considered _compatible_ if:
1. They are distinct.
2. The implementation can serve them in compliance with the Addresses
@@ -2104,16 +1757,11 @@ spec:
on the same address, or cannot mix HTTPS and generic TLS listens on the same port
would not consider those cases compatible, even though they are distinct.
- Note that requests SHOULD match at most one Listener. For example, if
- Listeners are defined for "foo.example.com" and "*.example.com", a
- request to "foo.example.com" SHOULD only be routed using routes attached
- to the "foo.example.com" Listener (and not the "*.example.com" Listener).
- This concept is known as "Listener Isolation". Implementations that do
- not support Listener Isolation MUST clearly document this.
-
Implementations MAY merge separate Gateways onto a single set of
Addresses if all Listeners across all Gateways are compatible.
+ In a future release the MinItems=1 requirement MAY be dropped.
+
Support: Core
items:
description: |-
@@ -2275,10 +1923,31 @@ spec:
* TLS: The Listener Hostname MUST match the SNI.
* HTTP: The Listener Hostname MUST match the Host header of the request.
- * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
- protocol layers as described above. If an implementation does not
- ensure that both the SNI and Host header match the Listener hostname,
- it MUST clearly document that.
+ * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+ Note that this does not require the SNI and Host header to be the same.
+ The semantics of this are described in more detail below.
+
+ To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+ implementations that rely on SNI hostname matching MUST also verify
+ hostnames within the application protocol.
+
+ Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+ reuse of a connection by responding with the HTTP 421 Misdirected Request
+ status code. This indicates that the origin server has rejected the
+ request because it appears to have been misdirected.
+
+ To detect misdirected requests, Gateways SHOULD match the authority of
+ the requests with all the SNI hostname(s) configured across all the
+ Gateway Listeners on the same port and protocol:
+
+ * If another Listener has an exact match or more specific wildcard entry,
+ the Gateway SHOULD return a 421.
+ * If the current Listener (selected by SNI matching during ClientHello)
+ does not match the Host:
+ * If another Listener does match the Host the Gateway SHOULD return a
+ 421.
+ * If no other Listener matches the Host, the Gateway MUST return a
+ 404.
For HTTPRoute and TLSRoute resources, there is an interaction with the
`spec.hostnames` array. When both listener and route specify hostnames,
@@ -2418,7 +2087,7 @@ spec:
maxItems: 64
type: array
frontendValidation:
- description: |+
+ description: |-
FrontendValidation holds configuration information for validating the frontend (client).
Setting this field will require clients to send a client certificate
required for validation during the TLS handshake. In browsers this may result in a dialog appearing
@@ -2426,7 +2095,6 @@ spec:
The maximum depth of a certificate chain accepted in verification is Implementation specific.
Support: Extended
-
properties:
caCertificateRefs:
description: |-
@@ -2465,7 +2133,7 @@ spec:
group:
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
+ When set to the empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -2603,7 +2271,7 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
- description: |+
+ description: |-
Addresses lists the network addresses that have been bound to the
Gateway.
@@ -2613,7 +2281,6 @@ spec:
* no addresses are specified, all addresses are dynamically assigned
* a combination of specified and dynamic addresses are assigned
* a specified address was unusable (e.g. already in use)
-
items:
description: GatewayStatusAddress describes a network address that
is bound to a Gateway.
@@ -2931,7 +2598,7 @@ spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
- description: |+
+ description: |-
Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
@@ -2952,10 +2619,9 @@ spec:
GatewayStatus.Addresses.
Support: Extended
-
items:
- description: GatewayAddress describes an address that can be bound
- to a Gateway.
+ description: GatewaySpecAddress describes an address that can be
+ bound to a Gateway.
oneOf:
- properties:
type:
@@ -2980,15 +2646,15 @@ spec:
type: string
value:
description: |-
- Value of the address. The validity of the values will depend
- on the type and support by the controller.
+ When a value is unspecified, an implementation SHOULD automatically
+ assign an address matching the requested type if possible.
+
+ If an implementation does not support an empty value, they MUST set the
+ "Programmed" condition in status to False with a reason of "AddressNotAssigned".
Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
maxLength: 253
- minLength: 1
type: string
- required:
- - value
type: object
x-kubernetes-validations:
- message: Hostname value must only contain valid characters (matching
@@ -3004,16 +2670,96 @@ spec:
- message: Hostname values must be unique
rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
+ allowedListeners:
+ description: |-
+ AllowedListeners defines which ListenerSets can be attached to this Gateway.
+ While this feature is experimental, the default value is to allow no ListenerSets.
+ properties:
+ namespaces:
+ default:
+ from: None
+ description: |-
+ Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+ While this feature is experimental, the default value is to allow no ListenerSets.
+ properties:
+ from:
+ default: None
+ description: |-
+ From indicates where ListenerSets can attach to this Gateway. Possible
+ values are:
+
+ * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+ * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+ * All: ListenerSets in all namespaces may be attached to this Gateway.
+ * None: Only listeners defined in the Gateway's spec are allowed
+
+ While this feature is experimental, the default value None
+ enum:
+ - All
+ - Selector
+ - Same
+ - None
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only ListenerSets in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
backendTLS:
- description: |+
+ description: |-
BackendTLS configures TLS settings for when this Gateway is connecting to
backends with TLS.
Support: Core
-
properties:
clientCertificateRef:
- description: |+
+ description: |-
ClientCertificateRef is a reference to an object that contains a Client
Certificate and the associated private key.
@@ -3029,7 +2775,6 @@ spec:
This setting can be overridden on the service level by use of BackendTLSPolicy.
Support: Core
-
properties:
group:
default: ""
@@ -3164,6 +2909,11 @@ spec:
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the Gateway SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
Support: Implementation-specific
properties:
group:
@@ -3194,6 +2944,8 @@ spec:
logical endpoints that are bound on this Gateway's addresses.
At least one Listener MUST be specified.
+ ## Distinct Listeners
+
Each Listener in a set of Listeners (for example, in a single Gateway)
MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
exactly one listener. (This section uses "set of Listeners" rather than
@@ -3205,55 +2957,76 @@ spec:
combination of Port, Protocol, and, if supported by the protocol, Hostname.
Some combinations of port, protocol, and TLS settings are considered
- Core support and MUST be supported by implementations based on their
- targeted conformance profile:
+ Core support and MUST be supported by implementations based on the objects
+ they support:
- HTTP Profile
+ HTTPRoute
1. HTTPRoute, Port: 80, Protocol: HTTP
2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
- TLS Profile
+ TLSRoute
1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
"Distinct" Listeners have the following property:
- The implementation can match inbound requests to a single distinct
- Listener. When multiple Listeners share values for fields (for
+ **The implementation can match inbound requests to a single distinct
+ Listener**.
+
+ When multiple Listeners share values for fields (for
example, two Listeners with the same Port value), the implementation
can match requests to only one of the Listeners using other
Listener fields.
- For example, the following Listener scenarios are distinct:
+ When multiple listeners have the same value for the Protocol field, then
+ each of the Listeners with matching Protocol values MUST have different
+ values for other fields.
+
+ The set of fields that MUST be different for a Listener differs per protocol.
+ The following rules define the rules for what fields MUST be considered for
+ Listeners to be distinct with each protocol currently defined in the
+ Gateway API spec.
+
+ The set of listeners that all share a protocol value MUST have _different_
+ values for _at least one_ of these fields to be distinct:
+
+ * **HTTP, HTTPS, TLS**: Port, Hostname
+ * **TCP, UDP**: Port
- 1. Multiple Listeners with the same Port that all use the "HTTP"
- Protocol that all have unique Hostname values.
- 2. Multiple Listeners with the same Port that use either the "HTTPS" or
- "TLS" Protocol that all have unique Hostname values.
- 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
- with the same Protocol has the same Port value.
+ One **very** important rule to call out involves what happens when an
+ implementation:
- Some fields in the Listener struct have possible values that affect
- whether the Listener is distinct. Hostname is particularly relevant
- for HTTP or HTTPS protocols.
+ * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+ Listeners, and
+ * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+ Protocol.
- When using the Hostname value to select between same-Port, same-Protocol
- Listeners, the Hostname value must be different on each Listener for the
- Listener to be distinct.
+ In this case all the Listeners that share a port with the
+ TCP Listener are not distinct and so MUST NOT be accepted.
- When the Listeners are distinct based on Hostname, inbound request
+ If an implementation does not support TCP Protocol Listeners, then the
+ previous rule does not apply, and the TCP Listeners SHOULD NOT be
+ accepted.
+
+ Note that the `tls` field is not used for determining if a listener is distinct, because
+ Listeners that _only_ differ on TLS config will still conflict in all cases.
+
+ ### Listeners that are distinct only by Hostname
+
+ When the Listeners are distinct based only on Hostname, inbound request
hostnames MUST match from the most specific to least specific Hostname
values to choose the correct Listener and its associated set of Routes.
- Exact matches must be processed before wildcard matches, and wildcard
- matches must be processed before fallback (empty Hostname value)
+ Exact matches MUST be processed before wildcard matches, and wildcard
+ matches MUST be processed before fallback (empty Hostname value)
matches. For example, `"foo.example.com"` takes precedence over
`"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+
The precise definition here is that the higher the number of dots in the
hostname to the right of the wildcard character, the higher the precedence.
@@ -3261,18 +3034,26 @@ spec:
the left, however, so `"*.example.com"` will match both
`"foo.bar.example.com"` _and_ `"bar.example.com"`.
+ ## Handling indistinct Listeners
+
If a set of Listeners contains Listeners that are not distinct, then those
- Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
condition in the Listener Status to "True".
+ The words "indistinct" and "conflicted" are considered equivalent for the
+ purpose of this documentation.
+
Implementations MAY choose to accept a Gateway with some Conflicted
Listeners only if they only accept the partial Listener set that contains
- no Conflicted Listeners. To put this another way, implementations may
- accept a partial Listener set only if they throw out *all* the conflicting
- Listeners. No picking one of the conflicting listeners as the winner.
- This also means that the Gateway must have at least one non-conflicting
- Listener in this case, otherwise it violates the requirement that at
- least one Listener must be present.
+ no Conflicted Listeners.
+
+ Specifically, an implementation MAY accept a partial Listener set subject to
+ the following rules:
+
+ * The implementation MUST NOT pick one conflicting Listener as the winner.
+ ALL indistinct Listeners must not be accepted for processing.
+ * At least one distinct Listener MUST be present, or else the Gateway effectively
+ contains _no_ Listeners, and must be rejected from processing as a whole.
The implementation MUST set a "ListenersNotValid" condition on the
Gateway Status when the Gateway contains Conflicted Listeners whether or
@@ -3281,7 +3062,25 @@ spec:
Accepted. Additionally, the Listener status for those listeners SHOULD
indicate which Listeners are conflicted and not Accepted.
- A Gateway's Listeners are considered "compatible" if:
+ ## General Listener behavior
+
+ Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+ For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+
+ This concept is known as "Listener Isolation", and it is an Extended feature
+ of Gateway API. Implementations that do not support Listener Isolation MUST
+ clearly document this, and MUST NOT claim support for the
+ `GatewayHTTPListenerIsolation` feature.
+
+ Implementations that _do_ support Listener Isolation SHOULD claim support
+ for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+ conformance tests.
+
+ ## Compatible Listeners
+
+ A Gateway's Listeners are considered _compatible_ if:
1. They are distinct.
2. The implementation can serve them in compliance with the Addresses
@@ -3296,16 +3095,11 @@ spec:
on the same address, or cannot mix HTTPS and generic TLS listens on the same port
would not consider those cases compatible, even though they are distinct.
- Note that requests SHOULD match at most one Listener. For example, if
- Listeners are defined for "foo.example.com" and "*.example.com", a
- request to "foo.example.com" SHOULD only be routed using routes attached
- to the "foo.example.com" Listener (and not the "*.example.com" Listener).
- This concept is known as "Listener Isolation". Implementations that do
- not support Listener Isolation MUST clearly document this.
-
Implementations MAY merge separate Gateways onto a single set of
Addresses if all Listeners across all Gateways are compatible.
+ In a future release the MinItems=1 requirement MAY be dropped.
+
Support: Core
items:
description: |-
@@ -3467,10 +3261,31 @@ spec:
* TLS: The Listener Hostname MUST match the SNI.
* HTTP: The Listener Hostname MUST match the Host header of the request.
- * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
- protocol layers as described above. If an implementation does not
- ensure that both the SNI and Host header match the Listener hostname,
- it MUST clearly document that.
+ * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+ Note that this does not require the SNI and Host header to be the same.
+ The semantics of this are described in more detail below.
+
+ To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+ implementations that rely on SNI hostname matching MUST also verify
+ hostnames within the application protocol.
+
+ Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+ reuse of a connection by responding with the HTTP 421 Misdirected Request
+ status code. This indicates that the origin server has rejected the
+ request because it appears to have been misdirected.
+
+ To detect misdirected requests, Gateways SHOULD match the authority of
+ the requests with all the SNI hostname(s) configured across all the
+ Gateway Listeners on the same port and protocol:
+
+ * If another Listener has an exact match or more specific wildcard entry,
+ the Gateway SHOULD return a 421.
+ * If the current Listener (selected by SNI matching during ClientHello)
+ does not match the Host:
+ * If another Listener does match the Host the Gateway SHOULD return a
+ 421.
+ * If no other Listener matches the Host, the Gateway MUST return a
+ 404.
For HTTPRoute and TLSRoute resources, there is an interaction with the
`spec.hostnames` array. When both listener and route specify hostnames,
@@ -3610,7 +3425,7 @@ spec:
maxItems: 64
type: array
frontendValidation:
- description: |+
+ description: |-
FrontendValidation holds configuration information for validating the frontend (client).
Setting this field will require clients to send a client certificate
required for validation during the TLS handshake. In browsers this may result in a dialog appearing
@@ -3618,7 +3433,6 @@ spec:
The maximum depth of a certificate chain accepted in verification is Implementation specific.
Support: Extended
-
properties:
caCertificateRefs:
description: |-
@@ -3657,7 +3471,7 @@ spec:
group:
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
+ When set to the empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -3795,7 +3609,7 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
- description: |+
+ description: |-
Addresses lists the network addresses that have been bound to the
Gateway.
@@ -3805,7 +3619,6 @@ spec:
* no addresses are specified, all addresses are dynamically assigned
* a combination of specified and dynamic addresses are assigned
* a specified address was unusable (e.g. already in use)
-
items:
description: GatewayStatusAddress describes a network address that
is bound to a Gateway.
@@ -4097,7 +3910,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
@@ -4246,7 +4059,7 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: |+
+ description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
@@ -4308,11 +4121,6 @@ spec:
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
-
-
-
-
-
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
@@ -4486,9 +4294,7 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: |+
- Rules are a list of GRPC matchers, filters and actions.
-
+ description: Rules are a list of GRPC matchers, filters and actions.
items:
description: |-
GRPCRouteRule defines the semantics for matching a gRPC request based on
@@ -4534,7 +4340,6 @@ spec:
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
@@ -4549,8 +4354,6 @@ spec:
If a Route is not able to send traffic to the backend using the specified
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
-
-
properties:
filters:
description: |-
@@ -4636,7 +4439,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -4711,7 +4514,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -4739,7 +4542,7 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: |+
+ description: |-
RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
@@ -4749,7 +4552,6 @@ spec:
backends.
Support: Extended
-
properties:
backendRef:
description: |-
@@ -4845,13 +4647,12 @@ spec:
rule: '(size(self.group) == 0 && self.kind
== ''Service'') ? has(self.port) : true'
fraction:
- description: |+
+ description: |-
Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
properties:
denominator:
default: 100
@@ -4870,14 +4671,13 @@ spec:
to denominator
rule: self.numerator <= self.denominator
percent:
- description: |+
+ description: |-
Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
format: int32
maximum: 100
minimum: 0
@@ -4922,7 +4722,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -4997,7 +4797,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -5025,7 +4825,7 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: |+
+ description: |-
Type identifies the type of filter to apply. As with other API fields,
types are classified into three conformance levels:
@@ -5050,7 +4850,6 @@ spec:
If a reference to a custom filter type cannot be resolved, the filter
MUST NOT be skipped. Instead, requests that would have been processed by
that filter MUST receive a HTTP error response.
-
enum:
- ResponseHeaderModifier
- RequestHeaderModifier
@@ -5207,7 +5006,7 @@ spec:
Specifying the same filter multiple times is not supported unless explicitly
indicated in the filter.
- If an implementation can not support a combination of filters, it must clearly
+ If an implementation cannot support a combination of filters, it must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the `Accepted` condition to be set to status
`False`, implementations may use the `IncompatibleFilters` reason to specify
@@ -5290,7 +5089,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -5364,7 +5163,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -5392,7 +5191,7 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: |+
+ description: |-
RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
@@ -5402,7 +5201,6 @@ spec:
backends.
Support: Extended
-
properties:
backendRef:
description: |-
@@ -5498,13 +5296,12 @@ spec:
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
fraction:
- description: |+
+ description: |-
Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
properties:
denominator:
default: 100
@@ -5523,14 +5320,13 @@ spec:
denominator
rule: self.numerator <= self.denominator
percent:
- description: |+
+ description: |-
Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
format: int32
maximum: 100
minimum: 0
@@ -5574,7 +5370,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -5648,7 +5444,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -5676,7 +5472,7 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: |+
+ description: |-
Type identifies the type of filter to apply. As with other API fields,
types are classified into three conformance levels:
@@ -5701,7 +5497,6 @@ spec:
If a reference to a custom filter type cannot be resolved, the filter
MUST NOT be skipped. Instead, requests that would have been processed by
that filter MUST receive a HTTP error response.
-
enum:
- ResponseHeaderModifier
- RequestHeaderModifier
@@ -5917,10 +5712,10 @@ spec:
has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
true'
type: object
- maxItems: 8
+ maxItems: 64
type: array
name:
- description: |
+ description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
@@ -5929,12 +5724,11 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
sessionPersistence:
- description: |+
+ description: |-
SessionPersistence defines and configures session persistence
for the route rule.
Support: Extended
-
properties:
absoluteTimeout:
description: |-
@@ -5969,6 +5763,8 @@ spec:
absolute lifetime of the cookie tracked by the gateway and
is optional.
+ Defaults to "Session".
+
Support: Core for "Session" type
Support: Extended for "Permanent" type
@@ -6086,7 +5882,7 @@ spec:
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
- * The Route refers to a non-existent parent.
+ * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
@@ -6335,7 +6131,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: httproutes.gateway.networking.k8s.io
@@ -6464,7 +6260,7 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: |+
+ description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
@@ -6526,11 +6322,6 @@ spec:
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
-
-
-
-
-
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
@@ -6709,9 +6500,7 @@ spec:
- path:
type: PathPrefix
value: /
- description: |+
- Rules are a list of HTTP matchers, filters and actions.
-
+ description: Rules are a list of HTTP matchers, filters and actions.
items:
description: |-
HTTPRouteRule defines semantics for matching an HTTP request based on
@@ -6764,7 +6553,6 @@ spec:
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
@@ -6779,8 +6567,6 @@ spec:
If a Route is not able to send traffic to the backend using the specified
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
-
-
properties:
filters:
description: |-
@@ -6798,6 +6584,289 @@ spec:
authentication strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type of the filter.
properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
+
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
+
+ The only valid value for the `Access-Control-Allow-Credentials` response
+ header is true (case-sensitive).
+
+ If the credentials are not allowed in cross-origin requests, the gateway
+ will omit the header `Access-Control-Allow-Credentials` entirely rather
+ than setting its value to false.
+
+ Support: Extended
+ enum:
+ - true
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
+
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
+
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
+
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
+
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
+
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
+
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
+
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
+
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
+
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
+
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
+
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
+
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
+
+ Valid values for scheme are: `http` and `https`.
+
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
+
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
+
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
+
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
+
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
+
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
+
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
+
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
+
+ Support: Extended
+ items:
+ description: |-
+ The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
+ include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
+
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
+
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
+
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is
+ unspecified.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
+
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
+
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
extensionRef:
description: |-
ExtensionRef is an optional, implementation-specific extension to the
@@ -6866,7 +6935,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -6941,7 +7010,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -6969,7 +7038,7 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: |+
+ description: |-
RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
@@ -6979,7 +7048,6 @@ spec:
backends.
Support: Extended
-
properties:
backendRef:
description: |-
@@ -7075,13 +7143,12 @@ spec:
rule: '(size(self.group) == 0 && self.kind
== ''Service'') ? has(self.port) : true'
fraction:
- description: |+
+ description: |-
Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
properties:
denominator:
default: 100
@@ -7100,14 +7167,13 @@ spec:
to denominator
rule: self.numerator <= self.denominator
percent:
- description: |+
+ description: |-
Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
format: int32
maximum: 100
minimum: 0
@@ -7305,7 +7371,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -7380,7 +7446,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -7448,6 +7514,7 @@ spec:
- RequestRedirect
- URLRewrite
- ExtensionRef
+ - CORS
type: string
urlRewrite:
description: |-
@@ -7580,6 +7647,11 @@ spec:
- message: filter.extensionRef must be specified for
ExtensionRef filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
maxItems: 16
type: array
x-kubernetes-validations:
@@ -7701,7 +7773,7 @@ spec:
they are specified.
Implementations MAY choose to implement this ordering strictly, rejecting
- any combination or order of filters that can not be supported. If implementations
+ any combination or order of filters that cannot be supported. If implementations
choose a strict interpretation of filter ordering, they MUST clearly document
that behavior.
@@ -7723,7 +7795,7 @@ spec:
All filters are expected to be compatible with each other except for the
URLRewrite and RequestRedirect filters, which may not be combined. If an
- implementation can not support other combinations of filters, they must clearly
+ implementation cannot support other combinations of filters, they must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the `Accepted` condition to be set to status
`False`, implementations may use the `IncompatibleFilters` reason to specify
@@ -7739,6 +7811,289 @@ spec:
authentication strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type of the filter.
properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
+
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
+
+ The only valid value for the `Access-Control-Allow-Credentials` response
+ header is true (case-sensitive).
+
+ If the credentials are not allowed in cross-origin requests, the gateway
+ will omit the header `Access-Control-Allow-Credentials` entirely rather
+ than setting its value to false.
+
+ Support: Extended
+ enum:
+ - true
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
+
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
+
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
+
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
+
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
+
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
+
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
+
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
+
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
+
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
+
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
+
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
+
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
+
+ Valid values for scheme are: `http` and `https`.
+
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
+
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
+
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
+
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
+
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
+
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
+
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
+
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
+
+ Support: Extended
+ items:
+ description: |-
+ The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
+ include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
+
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
+
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
+
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is
+ unspecified.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
+
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
+
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
extensionRef:
description: |-
ExtensionRef is an optional, implementation-specific extension to the
@@ -7806,7 +8161,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -7880,7 +8235,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -7908,7 +8263,7 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: |+
+ description: |-
RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
@@ -7918,7 +8273,6 @@ spec:
backends.
Support: Extended
-
properties:
backendRef:
description: |-
@@ -8014,13 +8368,12 @@ spec:
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
fraction:
- description: |+
+ description: |-
Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
properties:
denominator:
default: 100
@@ -8039,14 +8392,13 @@ spec:
denominator
rule: self.numerator <= self.denominator
percent:
- description: |+
+ description: |-
Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
format: int32
maximum: 100
minimum: 0
@@ -8243,7 +8595,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -8317,7 +8669,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -8385,6 +8737,7 @@ spec:
- RequestRedirect
- URLRewrite
- ExtensionRef
+ - CORS
type: string
urlRewrite:
description: |-
@@ -8514,6 +8867,11 @@ spec:
- message: filter.extensionRef must be specified for ExtensionRef
filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
maxItems: 16
type: array
x-kubernetes-validations:
@@ -8617,7 +8975,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, only the first
entry with an equivalent name MUST be considered for a match. Subsequent
@@ -8828,7 +9186,7 @@ spec:
maxItems: 64
type: array
name:
- description: |
+ description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
@@ -8837,15 +9195,14 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
retry:
- description: |+
+ description: |-
Retry defines the configuration for when to retry an HTTP request.
Support: Extended
-
properties:
attempts:
description: |-
- Attempts specifies the maxmimum number of times an individual request
+ Attempts specifies the maximum number of times an individual request
from the gateway to a backend should be retried.
If the maximum number of retries has been attempted without a successful
@@ -8919,20 +9276,17 @@ spec:
Implementations MAY support specifying discrete values in the 400-499 range,
which are often inadvisable to retry.
-
-
maximum: 599
minimum: 400
type: integer
type: array
type: object
sessionPersistence:
- description: |+
+ description: |-
SessionPersistence defines and configures session persistence
for the route rule.
Support: Extended
-
properties:
absoluteTimeout:
description: |-
@@ -8967,6 +9321,8 @@ spec:
absolute lifetime of the cookie tracked by the gateway and
is optional.
+ Defaults to "Session".
+
Support: Core for "Session" type
Support: Extended for "Permanent" type
@@ -9180,7 +9536,7 @@ spec:
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
- * The Route refers to a non-existent parent.
+ * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
@@ -9530,7 +9886,7 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: |+
+ description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
@@ -9592,11 +9948,6 @@ spec:
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
-
-
-
-
-
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
@@ -9775,9 +10126,7 @@ spec:
- path:
type: PathPrefix
value: /
- description: |+
- Rules are a list of HTTP matchers, filters and actions.
-
+ description: Rules are a list of HTTP matchers, filters and actions.
items:
description: |-
HTTPRouteRule defines semantics for matching an HTTP request based on
@@ -9830,7 +10179,6 @@ spec:
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
@@ -9845,8 +10193,6 @@ spec:
If a Route is not able to send traffic to the backend using the specified
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
-
-
properties:
filters:
description: |-
@@ -9864,6 +10210,289 @@ spec:
authentication strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type of the filter.
properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
+
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
+
+ The only valid value for the `Access-Control-Allow-Credentials` response
+ header is true (case-sensitive).
+
+ If the credentials are not allowed in cross-origin requests, the gateway
+ will omit the header `Access-Control-Allow-Credentials` entirely rather
+ than setting its value to false.
+
+ Support: Extended
+ enum:
+ - true
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
+
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
+
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
+
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
+
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
+
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
+
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
+
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
+
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
+
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
+
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
+
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
+
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
+
+ Valid values for scheme are: `http` and `https`.
+
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
+
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
+
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
+
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
+
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
+
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
+
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
+
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
+
+ Support: Extended
+ items:
+ description: |-
+ The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
+ include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
+
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
+
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
+
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is
+ unspecified.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
+
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
+
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
extensionRef:
description: |-
ExtensionRef is an optional, implementation-specific extension to the
@@ -9932,7 +10561,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -10007,7 +10636,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -10035,7 +10664,7 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: |+
+ description: |-
RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
@@ -10045,7 +10674,6 @@ spec:
backends.
Support: Extended
-
properties:
backendRef:
description: |-
@@ -10141,13 +10769,12 @@ spec:
rule: '(size(self.group) == 0 && self.kind
== ''Service'') ? has(self.port) : true'
fraction:
- description: |+
+ description: |-
Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
properties:
denominator:
default: 100
@@ -10166,14 +10793,13 @@ spec:
to denominator
rule: self.numerator <= self.denominator
percent:
- description: |+
+ description: |-
Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
format: int32
maximum: 100
minimum: 0
@@ -10371,7 +10997,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -10446,7 +11072,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -10514,6 +11140,7 @@ spec:
- RequestRedirect
- URLRewrite
- ExtensionRef
+ - CORS
type: string
urlRewrite:
description: |-
@@ -10646,6 +11273,11 @@ spec:
- message: filter.extensionRef must be specified for
ExtensionRef filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
maxItems: 16
type: array
x-kubernetes-validations:
@@ -10767,7 +11399,7 @@ spec:
they are specified.
Implementations MAY choose to implement this ordering strictly, rejecting
- any combination or order of filters that can not be supported. If implementations
+ any combination or order of filters that cannot be supported. If implementations
choose a strict interpretation of filter ordering, they MUST clearly document
that behavior.
@@ -10789,7 +11421,7 @@ spec:
All filters are expected to be compatible with each other except for the
URLRewrite and RequestRedirect filters, which may not be combined. If an
- implementation can not support other combinations of filters, they must clearly
+ implementation cannot support other combinations of filters, they must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the `Accepted` condition to be set to status
`False`, implementations may use the `IncompatibleFilters` reason to specify
@@ -10805,6 +11437,289 @@ spec:
authentication strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type of the filter.
properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
+
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
+
+ The only valid value for the `Access-Control-Allow-Credentials` response
+ header is true (case-sensitive).
+
+ If the credentials are not allowed in cross-origin requests, the gateway
+ will omit the header `Access-Control-Allow-Credentials` entirely rather
+ than setting its value to false.
+
+ Support: Extended
+ enum:
+ - true
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
+
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
+
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
+
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
+
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
+
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
+
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
+
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
+
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
+
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
+
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
+
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
+
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
+
+ Valid values for scheme are: `http` and `https`.
+
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
+
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
+
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
+
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
+
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
+
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
+
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
+
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is unspecified.
+
+ When the `AllowCredentials` field is specified and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
+
+ Support: Extended
+ items:
+ description: |-
+ The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
+ include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
+
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
+
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
+
+ Header names are not case sensitive.
+
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
+
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is
+ unspecified.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
+
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
+
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
extensionRef:
description: |-
ExtensionRef is an optional, implementation-specific extension to the
@@ -10872,7 +11787,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -10946,7 +11861,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -10974,7 +11889,7 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: |+
+ description: |-
RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
@@ -10984,7 +11899,6 @@ spec:
backends.
Support: Extended
-
properties:
backendRef:
description: |-
@@ -11080,13 +11994,12 @@ spec:
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
fraction:
- description: |+
+ description: |-
Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
properties:
denominator:
default: 100
@@ -11105,14 +12018,13 @@ spec:
denominator
rule: self.numerator <= self.denominator
percent:
- description: |+
+ description: |-
Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.
-
format: int32
maximum: 100
minimum: 0
@@ -11309,7 +12221,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -11383,7 +12295,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -11451,6 +12363,7 @@ spec:
- RequestRedirect
- URLRewrite
- ExtensionRef
+ - CORS
type: string
urlRewrite:
description: |-
@@ -11580,6 +12493,11 @@ spec:
- message: filter.extensionRef must be specified for ExtensionRef
filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
maxItems: 16
type: array
x-kubernetes-validations:
@@ -11683,7 +12601,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, only the first
entry with an equivalent name MUST be considered for a match. Subsequent
@@ -11894,7 +12812,7 @@ spec:
maxItems: 64
type: array
name:
- description: |
+ description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
@@ -11903,15 +12821,14 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
retry:
- description: |+
+ description: |-
Retry defines the configuration for when to retry an HTTP request.
Support: Extended
-
properties:
attempts:
description: |-
- Attempts specifies the maxmimum number of times an individual request
+ Attempts specifies the maximum number of times an individual request
from the gateway to a backend should be retried.
If the maximum number of retries has been attempted without a successful
@@ -11985,20 +12902,17 @@ spec:
Implementations MAY support specifying discrete values in the 400-499 range,
which are often inadvisable to retry.
-
-
maximum: 599
minimum: 400
type: integer
type: array
type: object
sessionPersistence:
- description: |+
+ description: |-
SessionPersistence defines and configures session persistence
for the route rule.
Support: Extended
-
properties:
absoluteTimeout:
description: |-
@@ -12033,6 +12947,8 @@ spec:
absolute lifetime of the cookie tracked by the gateway and
is optional.
+ Defaults to "Session".
+
Support: Core for "Session" type
Support: Extended for "Permanent" type
@@ -12246,7 +13162,7 @@ spec:
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
- * The Route refers to a non-existent parent.
+ * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
@@ -12497,7 +13413,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: referencegrants.gateway.networking.k8s.io
@@ -12690,7 +13606,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tcproutes.gateway.networking.k8s.io
@@ -12738,7 +13654,7 @@ spec:
description: Spec defines the desired state of TCPRoute.
properties:
parentRefs:
- description: |+
+ description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
@@ -12800,11 +13716,6 @@ spec:
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
-
-
-
-
-
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
@@ -12978,16 +13889,14 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: |+
- Rules are a list of TCP matchers and actions.
-
+ description: Rules are a list of TCP matchers and actions.
items:
description: TCPRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be
- sent. If unspecified or invalid (refers to a non-existent resource or a
+ sent. If unspecified or invalid (refers to a nonexistent resource or a
Service with no endpoints), the underlying implementation MUST actively
reject connection attempts to this backend. Connection rejections must
respect weight; if an invalid backend is requested to have 80% of
@@ -13010,7 +13919,6 @@ spec:
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
@@ -13026,7 +13934,6 @@ spec:
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
-
Note that when the BackendTLSPolicy object is enabled by the implementation,
there are some extra rules about validity to consider here. See the fields
@@ -13184,7 +14091,7 @@ spec:
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
- * The Route refers to a non-existent parent.
+ * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
@@ -13435,7 +14342,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tlsroutes.gateway.networking.k8s.io
@@ -13543,7 +14450,7 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: |+
+ description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
@@ -13605,11 +14512,6 @@ spec:
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
-
-
-
-
-
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
@@ -13783,16 +14685,14 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: |+
- Rules are a list of TLS matchers and actions.
-
+ description: Rules are a list of TLS matchers and actions.
items:
description: TLSRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be
- sent. If unspecified or invalid (refers to a non-existent resource or
+ sent. If unspecified or invalid (refers to a nonexistent resource or
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
@@ -13818,7 +14718,6 @@ spec:
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
@@ -13834,7 +14733,6 @@ spec:
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
-
Note that when the BackendTLSPolicy object is enabled by the implementation,
there are some extra rules about validity to consider here. See the fields
@@ -13992,7 +14890,7 @@ spec:
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
- * The Route refers to a non-existent parent.
+ * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
@@ -14243,7 +15141,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: udproutes.gateway.networking.k8s.io
@@ -14291,7 +15189,7 @@ spec:
description: Spec defines the desired state of UDPRoute.
properties:
parentRefs:
- description: |+
+ description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
@@ -14353,11 +15251,6 @@ spec:
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
-
-
-
-
-
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
@@ -14531,16 +15424,14 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: |+
- Rules are a list of UDP matchers and actions.
-
+ description: Rules are a list of UDP matchers and actions.
items:
description: UDPRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be
- sent. If unspecified or invalid (refers to a non-existent resource or a
+ sent. If unspecified or invalid (refers to a nonexistent resource or a
Service with no endpoints), the underlying implementation MUST actively
reject connection attempts to this backend. Packet drops must
respect weight; if an invalid backend is requested to have 80% of
@@ -14563,7 +15454,6 @@ spec:
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
@@ -14579,7 +15469,6 @@ spec:
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
-
Note that when the BackendTLSPolicy object is enabled by the implementation,
there are some extra rules about validity to consider here. See the fields
@@ -14737,7 +15626,7 @@ spec:
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
- * The Route refers to a non-existent parent.
+ * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
@@ -14796,175 +15685,1630 @@ spec:
- type
type: object
maxItems: 8
- minItems: 1
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ labels:
+ gateway.networking.k8s.io/policy: Direct
+ name: xbackendtrafficpolicies.gateway.networking.x-k8s.io
+spec:
+ group: gateway.networking.x-k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: XBackendTrafficPolicy
+ listKind: XBackendTrafficPolicyList
+ plural: xbackendtrafficpolicies
+ shortNames:
+ - xbtrafficpolicy
+ singular: xbackendtrafficpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ XBackendTrafficPolicy defines the configuration for how traffic to a
+ target backend should be handled.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of BackendTrafficPolicy.
+ properties:
+ retryConstraint:
+ description: |-
+ RetryConstraint defines the configuration for when to allow or prevent
+ further retries to a target backend, by dynamically calculating a 'retry
+ budget'. This budget is calculated based on the percentage of incoming
+ traffic composed of retries over a given time interval. Once the budget
+ is exceeded, additional retries will be rejected.
+
+ For example, if the retry budget interval is 10 seconds, there have been
+ 1000 active requests in the past 10 seconds, and the allowed percentage
+ of requests that can be retried is 20% (the default), then 200 of those
+ requests may be composed of retries. Active requests will only be
+ considered for the duration of the interval when calculating the retry
+ budget. Retrying the same original request multiple times within the
+ retry budget interval will lead to each retry being counted towards
+ calculating the budget.
+
+ Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+ HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+ backend. While the HTTPRouteRule Retry stanza can specify whether a
+ request will be retried, and the number of retry attempts each client
+ may perform, RetryConstraint helps prevent cascading failures such as
+ retry storms during periods of consistent failures.
+
+ After the retry budget has been exceeded, additional retries to the
+ backend MUST return a 503 response to the client.
+
+ Additional configurations for defining a constraint on retries MAY be
+ defined in the future.
+
+ Support: Extended
+ properties:
+ budget:
+ default:
+ interval: 10s
+ percent: 20
+ description: Budget holds the details of the retry budget configuration.
+ properties:
+ interval:
+ default: 10s
+ description: |-
+ Interval defines the duration in which requests will be considered
+ for calculating the budget for retries.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ x-kubernetes-validations:
+ - message: interval can not be greater than one hour or less
+ than one second
+ rule: '!(duration(self) < duration(''1s'') || duration(self)
+ > duration(''1h''))'
+ percent:
+ default: 20
+ description: |-
+ Percent defines the maximum percentage of active requests that may
+ be made up of retries.
+
+ Support: Extended
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ minRetryRate:
+ default:
+ count: 10
+ interval: 1s
+ description: |-
+ MinRetryRate defines the minimum rate of retries that will be allowable
+ over a specified duration of time.
+
+ The effective overall minimum rate of retries targeting the backend
+ service may be much higher, as there can be any number of clients which
+ are applying this setting locally.
+
+ This ensures that requests can still be retried during periods of low
+ traffic, where the budget for retries may be calculated as a very low
+ value.
+
+ Support: Extended
+ properties:
+ count:
+ description: |-
+ Count specifies the number of requests per time interval.
+
+ Support: Extended
+ maximum: 1000000
+ minimum: 1
+ type: integer
+ interval:
+ description: |-
+ Interval specifies the divisor of the rate of requests, the amount of
+ time during which the given count of requests occur.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ x-kubernetes-validations:
+ - message: interval can not be greater than one hour
+ rule: '!(duration(self) == duration(''0s'') || duration(self)
+ > duration(''1h''))'
+ type: object
+ type: object
+ sessionPersistence:
+ description: |-
+ SessionPersistence defines and configures session persistence
+ for the backend.
+
+ Support: Extended
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
+
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
+
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
+
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
+
+ Defaults to "Session".
+
+ Support: Core for "Session" type
+
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
+
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
+
+ Support: Core for "Cookie" type
+
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ targetRefs:
+ description: |-
+ TargetRefs identifies API object(s) to apply this policy to.
+ Currently, Backends (A grouping of like endpoints such as Service,
+ ServiceImport, or any implementation-specific backendRef) are the only
+ valid API target references.
+
+ Currently, a TargetRef can not be scoped to a specific port on a
+ Service.
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - group
+ - kind
+ - name
+ x-kubernetes-list-type: map
+ required:
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the current state of BackendTrafficPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: xlistenersets.gateway.networking.x-k8s.io
+spec:
+ group: gateway.networking.x-k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: XListenerSet
+ listKind: XListenerSetList
+ plural: xlistenersets
+ shortNames:
+ - lset
+ singular: xlistenerset
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ XListenerSet defines a set of additional listeners
+ to attach to an existing Gateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ListenerSet.
+ properties:
+ listeners:
+ description: |-
+ Listeners associated with this ListenerSet. Listeners define
+ logical endpoints that are bound on this referenced parent Gateway's addresses.
+
+ Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+ as a list when programming the underlying infrastructure. Each listener
+ name does not need to be unique across the Gateway and ListenerSets.
+ See ListenerEntry.Name for more details.
+
+ Implementations MUST treat the parent Gateway as having the merged
+ list of all listeners from itself and attached ListenerSets using
+ the following precedence:
+
+ 1. "parent" Gateway
+ 2. ListenerSet ordered by creation time (oldest first)
+ 3. ListenerSet ordered alphabetically by “{namespace}/{name}”.
+
+ An implementation MAY reject listeners by setting the ListenerEntryStatus
+ `Accepted`` condition to False with the Reason `TooManyListeners`
+
+ If a listener has a conflict, this will be reported in the
+ Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+
+ Implementations SHOULD be cautious about what information from the
+ parent or siblings are reported to avoid accidentally leaking
+ sensitive information that the child would not otherwise have access
+ to. This can include contents of secrets etc.
+ items:
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ ListenerSet.
+
+ Name is not required to be unique across a Gateway and ListenerSets.
+ Routes can attach to a Listener by having a ListenerSet as a parentRef
+ and setting the SectionName
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: Protocol specifies the network protocol this listener
+ expects to receive.
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ frontendValidation:
+ description: |-
+ FrontendValidation holds configuration information for validating the frontend (client).
+ Setting this field will require clients to send a client certificate
+ required for validation during the TLS handshake. In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Extended
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one reference, or other kinds
+ of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When set to the empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ type: object
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port)
+ && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname)
+ && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname)
+ && !has(l2.hostname))))'
+ parentRef:
+ description: ParentRef references the Gateway that the listeners are
+ attached to.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: Kind is kind of the referent. For example "Gateway".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. If not present,
+ the namespace of the referent is assumed to be the same as
+ the namespace of the referring object.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - listeners
+ - parentRef
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of ListenerSet.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the ListenerSet.
+
+ Implementations MUST express ListenerSet conditions using the
+ `ListenerSetConditionType` and `ListenerSetConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe ListenerSet state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
- controllerName:
- description: |-
- ControllerName is a domain/path string that indicates the name of the
- controller that wrote this status. This corresponds with the
- controllerName field on GatewayClass.
-
- Example: "example.net/gateway-controller".
-
- The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
- valid Kubernetes names
- (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
-
- Controllers MUST populate this field when writing status. Controllers should ensure that
- entries to status populated with their ControllerName are cleaned up when they are no
- longer necessary.
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
maxLength: 253
minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- parentRef:
+ port:
+ description: Port is the network port the listener is configured
+ to listen on.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ supportedKinds:
description: |-
- ParentRef corresponds with a ParentRef in the spec that this
- RouteParentStatus struct describes the status of.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
-
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
-
- There are two kinds of parent resources with "Core" support:
-
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
-
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
-
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
-
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
-
-
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
-
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
-
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
-
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
-
-
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
-
-
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
-
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
-
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
-
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
-
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
-
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
required:
- - controllerName
- - parentRef
+ - attachedRoutes
+ - conditions
+ - name
+ - port
+ - supportedKinds
type: object
- maxItems: 32
+ maxItems: 64
type: array
- required:
- - parents
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
type: object
required:
- spec
@@ -14987,7 +17331,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: backends.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -15076,6 +17420,13 @@ spec:
- hostname
- port
type: object
+ hostname:
+ description: Hostname defines an optional hostname for the backend
+ endpoint.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
ip:
description: IP defines an IP endpoint. Supports both IPv4 and
IPv6 addresses.
@@ -15102,12 +17453,19 @@ spec:
description: Unix defines the unix domain socket endpoint
properties:
path:
- description: Path defines the unix domain socket path of
- the backend endpoint.
+ description: |-
+ Path defines the unix domain socket path of the backend endpoint.
+ The path length must not exceed 108 characters.
type: string
+ x-kubernetes-validations:
+ - message: unix domain socket path must not exceed 108 characters
+ rule: size(self) <= 108
required:
- path
type: object
+ zone:
+ description: Zone defines the service zone of the backend endpoint.
+ type: string
type: object
x-kubernetes-validations:
- message: one of fqdn, ip or unix must be specified
@@ -15130,7 +17488,102 @@ spec:
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%.
type: boolean
+ tls:
+ description: |-
+ TLS defines the TLS settings for the backend.
+ If TLS is specified here and a BackendTLSPolicy is also configured for the backend, the final TLS settings will
+ be a merge of both configurations. In case of overlapping fields, the values defined in the BackendTLSPolicy will
+ take precedence.
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to Kubernetes objects that
+ contain TLS certificates of the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the backend.
+
+ A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+ with the CA certificate in a key named `ca.crt` is currently supported.
+
+ If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+ specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+ not both.
+ items:
+ description: |-
+ LocalObjectReference identifies an API object within the namespace of the
+ referrer.
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example "HTTPRoute"
+ or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ type: array
+ insecureSkipVerify:
+ default: false
+ description: |-
+ InsecureSkipVerify indicates whether the upstream's certificate verification
+ should be skipped. Defaults to "false".
+ type: boolean
+ wellKnownCACertificates:
+ description: |-
+ WellKnownCACertificates specifies whether system CA certificates may be used in
+ the TLS handshake between the gateway and backend pod.
+
+ If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+ must be specified with at least one entry for a valid configuration. Only one of
+ CACertificateRefs or WellKnownCACertificates may be specified, not both.
+ enum:
+ - System
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: must not contain both CACertificateRefs and WellKnownCACertificates
+ rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")'
+ - message: must not contain either CACertificateRefs or WellKnownCACertificates
+ when InsecureSkipVerify is enabled
+ rule: '!((has(self.insecureSkipVerify) && self.insecureSkipVerify)
+ && ((has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0) || (has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")))'
+ type:
+ default: Endpoints
+ description: Type defines the type of the backend. Defaults to "Endpoints"
+ enum:
+ - Endpoints
+ - DynamicResolver
+ type: string
type: object
+ x-kubernetes-validations:
+ - message: DynamicResolver type cannot have endpoints specified
+ rule: self.type != 'DynamicResolver' || !has(self.endpoints)
status:
description: Status defines the current status of Backend.
properties:
@@ -15211,7 +17664,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: backendtrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -15306,6 +17759,20 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers that will apply
+ per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum number
+ of connections that Envoy will establish per-endpoint to
+ the referenced backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
compression:
description: The compression config for the http streams.
@@ -15370,6 +17837,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -15417,6 +17896,7 @@ spec:
properties:
fixedDelay:
description: FixedDelay specifies the fixed delay duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
percentage:
default: 100
@@ -15500,11 +17980,18 @@ spec:
Defaults to 200 only
items:
description: HTTPStatus defines the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -15519,11 +18006,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between active health
checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -15597,7 +18090,7 @@ spec:
default: 1s
description: Timeout defines the time to wait for a health
check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -15631,6 +18124,16 @@ spec:
- message: The grpc field can only be set if the Health Checker
type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -15638,7 +18141,7 @@ spec:
default: 30s
description: BaseEjectionTime defines the base duration for
which a host will be ejected on consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -15663,7 +18166,7 @@ spec:
default: 3s
description: Interval defines the time between passive health
checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -15719,6 +18222,37 @@ spec:
Default: TerminateConnection
type: string
type: object
+ httpUpgrade:
+ description: |-
+ HTTPUpgrade defines the configuration for HTTP protocol upgrades.
+ If not specified, the default upgrade configuration(websocket) will be used.
+ items:
+ description: ProtocolUpgradeConfig specifies the configuration for
+ protocol upgrades.
+ properties:
+ connect:
+ description: |-
+ Connect specifies the configuration for the CONNECT config.
+ This is allowed only when type is CONNECT.
+ properties:
+ terminate:
+ description: Terminate the CONNECT request, and forwards
+ the payload as raw TCP data.
+ type: boolean
+ type: object
+ type:
+ description: |-
+ Type is the case-insensitive type of protocol upgrade.
+ e.g. `websocket`, `CONNECT`, `spdy/3.1` etc.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: The connect configuration is only allowed when the type
+ is CONNECT.
+ rule: '!has(self.connect) || self.type == ''CONNECT'''
+ type: array
loadBalancer:
description: |-
LoadBalancer policy to apply when routing traffic from the gateway to
@@ -15751,6 +18285,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -15794,6 +18329,34 @@ spec:
- message: If consistent hash type is cookie, the cookie field
must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie) : !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to extract endpoint
+ override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines a source
+ to extract endpoint override information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -15806,6 +18369,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -15824,6 +18388,34 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related to the
+ distribution of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware routing
+ to prefer sending traffic to the local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the minimum number
+ of total upstream endpoints across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -15836,6 +18428,18 @@ spec:
LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash''] ? !has(self.slowStart)
: true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) :
+ true '
+ mergeType:
+ description: |-
+ MergeType determines how this configuration is merged with existing BackendTrafficPolicy
+ configurations targeting a parent resource. When set, this configuration will be merged
+ into a parent BackendTrafficPolicy (i.e. the one targeting a Gateway or Listener).
+ This field cannot be set when targeting a parent resource (Gateway).
+ If unset, no merging occurs, and only the most specific configuration takes effect.
+ type: string
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol when communicating
with the backend.
@@ -15913,7 +18517,10 @@ spec:
values within the header.
type: boolean
name:
- description: Name of the HTTP header.
+ description: |-
+ Name of the HTTP header.
+ The header name is case-insensitive unless PreserveHeaderCase is set to true.
+ For example, "Foo" and "foo" are considered the same header.
maxLength: 256
minLength: 1
type: string
@@ -15928,8 +18535,7 @@ spec:
type: string
value:
description: |-
- Value within the HTTP header. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
+ Value within the HTTP header.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header.
maxLength: 1024
@@ -16084,17 +18690,25 @@ spec:
unit:
description: |-
RateLimitUnit specifies the intervals for setting rate limits.
- Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year".
enum:
- Second
- Minute
- Hour
- Day
+ - Month
+ - Year
type: string
required:
- requests
- unit
type: object
+ shared:
+ description: |-
+ Shared determines whether this rate limit rule applies across all the policy targets.
+ If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
+ Default: false.
+ type: boolean
required:
- limit
type: object
@@ -16154,7 +18768,10 @@ spec:
values within the header.
type: boolean
name:
- description: Name of the HTTP header.
+ description: |-
+ Name of the HTTP header.
+ The header name is case-insensitive unless PreserveHeaderCase is set to true.
+ For example, "Foo" and "foo" are considered the same header.
maxLength: 256
minLength: 1
type: string
@@ -16169,8 +18786,7 @@ spec:
type: string
value:
description: |-
- Value within the HTTP header. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
+ Value within the HTTP header.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header.
maxLength: 1024
@@ -16325,17 +18941,25 @@ spec:
unit:
description: |-
RateLimitUnit specifies the intervals for setting rate limits.
- Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year".
enum:
- Second
- Minute
- Hour
- Day
+ - Month
+ - Year
type: string
required:
- requests
- unit
type: object
+ shared:
+ description: |-
+ Shared determines whether this rate limit rule applies across all the policy targets.
+ If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
+ Default: false.
+ type: boolean
required:
- limit
type: object
@@ -16356,6 +18980,31 @@ spec:
required:
- type
type: object
+ requestBuffer:
+ description: |-
+ RequestBuffer allows the gateway to buffer and fully receive each request from a client before continuing to send the request
+ upstream to the backends. This can be helpful to shield your backend servers from slow clients, and also to enforce a maximum size per request
+ as any requests larger than the buffer size will be rejected.
+
+ This can have a negative performance impact so should only be enabled when necessary.
+
+ When enabling this option, you should also configure your connection buffer size to account for these request buffers. There will also be an
+ increase in memory usage for Envoy that should be accounted for in your deployment settings.
+ properties:
+ limit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Limit specifies the maximum allowed size in bytes for each incoming request buffer.
+ If exceeded, the request will be rejected with HTTP 413 Content Too Large.
+
+ Accepts values in resource.Quantity format (e.g., "10Mi", "500Ki").
+ x-kubernetes-int-or-string: true
+ type: object
responseOverride:
description: |-
ResponseOverride defines the configuration to override specific responses with a custom one.
@@ -16425,11 +19074,127 @@ spec:
required:
- statusCodes
type: object
+ redirect:
+ description: Redirect configuration
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+ Only ReplaceFullPath path modifier is supported currently.
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: only ReplaceFullPath is supported for path.type
+ rule: self.type == 'ReplaceFullPath'
+ - message: replaceFullPath must be specified when type is
+ set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type == ''ReplaceFullPath''
+ : true'
+ - message: replacePrefixMatch must be specified when type
+ is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when replacePrefixMatch
+ is set
+ rule: 'has(self.replacePrefixMatch) ? self.type == ''ReplacePrefixMatch''
+ : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If redirect scheme is not-empty, the well-known port associated with the redirect scheme will be used.
+ Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a
+ well-known port or redirect scheme is empty, the listener port of the Gateway will be used.
+
+ Port will not be added in the 'Location' header if scheme is HTTP and port is 80
+ or scheme is HTTPS and port is 443.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: StatusCode is the HTTP status code to be used
+ in response.
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
response:
description: Response configuration.
properties:
body:
- description: Body of the Custom Response
+ description: |-
+ Body of the Custom Response
+ Supports Envoy command operators for dynamic content (see https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators).
properties:
inline:
description: Inline contains the value as an inline
@@ -16506,14 +19271,24 @@ spec:
type: object
required:
- match
- - response
type: object
+ x-kubernetes-validations:
+ - message: exactly one of response or redirect must be specified
+ rule: (has(self.response) && !has(self.redirect)) || (!has(self.response)
+ && has(self.redirect))
type: array
retry:
description: |-
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries to be attempted.
@@ -16534,18 +19309,18 @@ spec:
baseInterval:
description: BaseInterval is the base interval between
retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per retry attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -16560,8 +19335,7 @@ spec:
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
items:
description: HTTPStatus defines the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -16574,6 +19348,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -16706,6 +19481,39 @@ spec:
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -16714,7 +19522,6 @@ spec:
type: object
required:
- kind
- - matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
@@ -16748,6 +19555,101 @@ spec:
format: int32
type: integer
type: object
+ telemetry:
+ description: |-
+ Telemetry configures the telemetry settings for the policy target (Gateway or xRoute).
+ This will override the telemetry settings in the EnvoyProxy resource.
+ properties:
+ tracing:
+ description: Tracing configures the tracing settings for the backend
+ or HTTPRoute.
+ properties:
+ customTags:
+ additionalProperties:
+ properties:
+ environment:
+ description: |-
+ Environment adds value from environment variable to each span.
+ It's required when the type is "Environment".
+ properties:
+ defaultValue:
+ description: DefaultValue defines the default value
+ to use if the environment variable is not set.
+ type: string
+ name:
+ description: Name defines the name of the environment
+ variable which to extract the value from.
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: |-
+ Literal adds hard-coded value to each span.
+ It's required when the type is "Literal".
+ properties:
+ value:
+ description: Value defines the hard-coded value
+ to add to each span.
+ type: string
+ required:
+ - value
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader adds value from request header to each span.
+ It's required when the type is "RequestHeader".
+ properties:
+ defaultValue:
+ description: DefaultValue defines the default value
+ to use if the request header is not set.
+ type: string
+ name:
+ description: Name defines the name of the request
+ header which to extract the value from.
+ type: string
+ required:
+ - name
+ type: object
+ type:
+ default: Literal
+ description: Type defines the type of custom tag.
+ enum:
+ - Literal
+ - Environment
+ - RequestHeader
+ type: string
+ required:
+ - type
+ type: object
+ description: |-
+ CustomTags defines the custom tags to add to each span.
+ If provider is kubernetes, pod name and namespace are added by default.
+ type: object
+ samplingFraction:
+ description: |-
+ SamplingFraction represents the fraction of requests that should be
+ selected for tracing if no prior sampling decision has been made.
+
+ This will take precedence over sampling fraction on EnvoyProxy if set.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to denominator
+ rule: self.numerator <= self.denominator
+ type: object
+ type: object
timeout:
description: Timeout settings for the backend connections.
properties:
@@ -17124,7 +20026,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: clienttrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -17273,6 +20175,15 @@ spec:
required:
- value
type: object
+ maxAcceptPerSocketEvent:
+ default: 1
+ description: |-
+ MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+ per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+ this threshold will be accepted in later event loop iterations.
+ Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
+ format: int32
+ type: integer
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -17293,6 +20204,8 @@ spec:
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed.
+
+ Deprecated: Use ProxyProtocol instead.
type: boolean
headers:
description: HeaderSettings provides configuration for header management.
@@ -17332,7 +20245,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -17353,7 +20266,7 @@ spec:
- name
- value
type: object
- maxItems: 16
+ maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
@@ -17379,7 +20292,7 @@ spec:
my-header2: bar
items:
type: string
- maxItems: 16
+ maxItems: 64
type: array
x-kubernetes-list-type: set
set:
@@ -17406,7 +20319,7 @@ spec:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
- case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
@@ -17427,7 +20340,7 @@ spec:
- name
- value
type: object
- maxItems: 16
+ maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
@@ -17442,8 +20355,20 @@ spec:
description: |-
PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
- It defaults to false.
+ Defaults to false and cannot be combined with RequestID.
+ Deprecated: use RequestID=Preserve instead
type: boolean
+ requestID:
+ description: |-
+ RequestID configures Envoy's behavior for handling the `X-Request-ID` header.
+ Defaults to `Generate` and builds the `X-Request-ID` for every request and ignores pre-existing values from the edge.
+ (An "edge request" refers to a request from an external client to the Envoy entrypoint.)
+ enum:
+ - PreserveOrGenerate
+ - Preserve
+ - Generate
+ - Disable
+ type: string
withUnderscoresAction:
description: |-
WithUnderscoresAction configures the action to take when an HTTP header with underscores
@@ -17505,6 +20430,9 @@ spec:
> 0) ? (self.mode == ''AppendForward'' || self.mode == ''SanitizeSet'')
: true'
type: object
+ x-kubernetes-validations:
+ - message: preserveXRequestID and requestID cannot both be set.
+ rule: '!(has(self.preserveXRequestID) && has(self.requestID))'
healthCheck:
description: HealthCheck provides configuration for determining whether
the HTTP/HTTPS listener is healthy.
@@ -17610,6 +20538,24 @@ spec:
- UnescapeAndRedirect
type: string
type: object
+ proxyProtocol:
+ description: |-
+ ProxyProtocol configures the Proxy Protocol settings. When configured,
+ the Proxy Protocol header will be interpreted and the Client Address
+ will be added into the X-Forwarded-For header.
+ If both EnableProxyProtocol and ProxyProtocol are set, ProxyProtocol takes precedence.
+ minProperties: 0
+ properties:
+ optional:
+ description: |-
+ Optional allows requests without a Proxy Protocol header to be proxied.
+ If set to true, the listener will accept requests without a Proxy Protocol header.
+ If set to false, the listener will reject requests without a Proxy Protocol header.
+ If not set, the default behavior is to reject requests without a Proxy Protocol header.
+ Warning: Optional breaks conformance with the specification. Only enable if ALL traffic to the listener comes from a trusted source.
+ For more information on security implications, see haproxy.org/download/2.1/doc/proxy-protocol.txt
+ type: boolean
+ type: object
targetRef:
description: |-
TargetRef is the name of the resource this policy is being attached to.
@@ -17729,6 +20675,39 @@ spec:
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -17737,7 +20716,6 @@ spec:
type: object
required:
- kind
- - matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
@@ -17790,6 +20768,12 @@ spec:
initiation and stops when either the last byte of the request is sent upstream or when the response begins.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ streamIdleTimeout:
+ description: |2-
+ The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity.
+ Default: 5 minutes.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
type: object
tcp:
description: Timeout settings for TCP.
@@ -17917,11 +20901,174 @@ spec:
type: object
maxItems: 8
type: array
+ certificateHashes:
+ description: |-
+ An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will
+ verify that the SHA-256 of the DER-encoded presented certificate matches
+ one of the specified values.
+ items:
+ type: string
+ type: array
optional:
description: |-
Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate.
type: boolean
+ spkiHashes:
+ description: |-
+ An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will
+ verify that the SHA-256 of the DER-encoded Subject Public Key Information
+ (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ type: array
+ subjectAltNames:
+ description: |-
+ An optional list of Subject Alternative name matchers. If specified, Envoy
+ will verify that the Subject Alternative Name of the presented certificate
+ matches one of the specified matchers
+ properties:
+ dnsNames:
+ description: DNS names matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ emailAddresses:
+ description: Email addresses matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ ipAddresses:
+ description: IP addresses matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ otherNames:
+ description: Other names matchers
+ items:
+ properties:
+ oid:
+ description: OID Value
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - oid
+ - value
+ type: object
+ type: array
+ uris:
+ description: URIs matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ type: object
type: object
ecdhCurves:
description: |-
@@ -18323,7 +21470,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: envoyextensionpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -18588,6 +21735,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers that
+ will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection settings.
@@ -18628,6 +21790,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -18709,11 +21883,18 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -18728,11 +21909,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between active
health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -18811,7 +21998,7 @@ spec:
default: 1s
description: Timeout defines the time to wait for
a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -18846,6 +22033,16 @@ spec:
- message: The grpc field can only be set if the Health
Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -18854,7 +22051,7 @@ spec:
description: BaseEjectionTime defines the base duration
for which a host will be ejected on consecutive
failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -18879,7 +22076,7 @@ spec:
default: 3s
description: Interval defines the time between passive
health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -18969,6 +22166,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -19014,6 +22212,35 @@ spec:
field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -19026,6 +22253,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -19044,6 +22272,35 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the minimum
+ number of total upstream endpoints across
+ all zones required to enable zone-aware routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -19056,6 +22313,10 @@ spec:
and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash''] ?
!has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol when
communicating with the backend.
@@ -19078,6 +22339,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries to
@@ -19098,18 +22366,18 @@ spec:
baseInterval:
description: BaseInterval is the base interval
between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per retry attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -19125,8 +22393,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -19140,6 +22407,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -19217,10 +22485,16 @@ spec:
type: object
type: object
failOpen:
+ default: false
description: |-
- FailOpen defines if requests or responses that cannot be processed due to connectivity to the
- external processor are terminated or passed-through.
- Default: false
+ FailOpen is a switch used to control the behavior when failing to call the external processor.
+
+ If FailOpen is set to true, the system bypasses the ExtProc extension and
+ allows the traffic to pass through. If it is set to false or
+ not set (defaulting to false), the system blocks the traffic and returns
+ an HTTP 5xx error.
+
+ If set to true, the ExtProc extension will also be bypassed if the configuration is invalid.
type: boolean
messageTimeout:
description: |-
@@ -19286,6 +22560,7 @@ spec:
- Streamed
- Buffered
- BufferedPartial
+ - FullDuplexStreamed
type: string
type: object
response:
@@ -19309,6 +22584,7 @@ spec:
- Streamed
- Buffered
- BufferedPartial
+ - FullDuplexStreamed
type: string
type: object
type: object
@@ -19316,13 +22592,23 @@ spec:
x-kubernetes-validations:
- message: BackendRefs must be used, backendRef is not supported.
rule: '!has(self.backendRef)'
- - message: BackendRefs only supports Service and Backend kind.
+ - message: BackendRefs only supports Service, ServiceImport, and
+ Backend kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
- == ''Service'' || f.kind == ''Backend'') : true'
- - message: BackendRefs only supports Core and gateway.envoyproxy.io
- group.
+ == ''Service'' || f.kind == ''ServiceImport'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only supports Core, multicluster.x-k8s.io,
+ and gateway.envoyproxy.io groups.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
- == "" || f.group == ''gateway.envoyproxy.io'')) : true'
+ == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
+ ''gateway.envoyproxy.io'')) : true'
+ - message: If FullDuplexStreamed body processing mode is used, FailOpen
+ must be false.
+ rule: '!(has(self.failOpen) && self.failOpen == true && has(self.processingMode)
+ && ((has(self.processingMode.request) && has(self.processingMode.request.body)
+ && self.processingMode.request.body == ''FullDuplexStreamed'')
+ || (has(self.processingMode.response) && has(self.processingMode.response.body)
+ && self.processingMode.response.body == ''FullDuplexStreamed'')))'
maxItems: 16
type: array
lua:
@@ -19379,8 +22665,8 @@ spec:
type: object
x-kubernetes-validations:
- message: Only a reference to an object of kind ConfigMap belonging
- to default core API group is supported.
- rule: self.kind == 'ConfigMap' && (!has(self.group) || self.group
+ to default v1 API group is supported.
+ rule: self.kind == 'ConfigMap' && (self.group == 'v1' || self.group
== '')
required:
- type
@@ -19511,6 +22797,39 @@ spec:
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -19519,7 +22838,6 @@ spec:
type: object
required:
- kind
- - matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
@@ -19554,6 +22872,62 @@ spec:
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
type: string
+ tls:
+ description: TLS configuration when connecting to the
+ Wasm code source.
+ properties:
+ caCertificateRef:
+ description: |-
+ CACertificateRef contains a references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the Wasm code source.
+
+ Kubernetes ConfigMap and Kubernetes Secret are supported.
+ Note: The ConfigMap or Secret must be in the same namespace as the EnvoyExtensionPolicy.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For
+ example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - caCertificateRef
+ type: object
url:
description: URL is the URL containing the Wasm code.
pattern: ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*
@@ -19623,6 +22997,62 @@ spec:
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
type: string
+ tls:
+ description: TLS configuration when connecting to the
+ Wasm code source.
+ properties:
+ caCertificateRef:
+ description: |-
+ CACertificateRef contains a references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the Wasm code source.
+
+ Kubernetes ConfigMap and Kubernetes Secret are supported.
+ Note: The ConfigMap or Secret must be in the same namespace as the EnvoyExtensionPolicy.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For
+ example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - caCertificateRef
+ type: object
url:
description: |-
URL is the URL of the OCI image.
@@ -19687,10 +23117,13 @@ spec:
description: |-
FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
+
If FailOpen is set to true, the system bypasses the Wasm extension and
- allows the traffic to pass through. Otherwise, if it is set to false or
+ allows the traffic to pass through. If it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error.
+
+ If set to true, the Wasm extension will also be bypassed if the configuration is invalid.
type: boolean
name:
description: |-
@@ -20047,7 +23480,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: envoypatchpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -20525,7 +23958,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: envoyproxies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -20769,7 +24202,7 @@ spec:
type:
default: Replace
description: |-
- Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
+ Type is the type of the bootstrap configuration, it should be either **Replace**, **Merge**, or **JSONPatch**.
If unspecified, it defaults to Replace.
enum:
- Merge
@@ -20822,6 +24255,8 @@ spec:
- envoy.filters.http.stateful_session
+ - envoy.filters.http.lua
+
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
@@ -20855,6 +24290,7 @@ spec:
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
+ - envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
@@ -20877,6 +24313,7 @@ spec:
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
+ - envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
@@ -20897,6 +24334,7 @@ spec:
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
+ - envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
@@ -20940,10 +24378,11 @@ spec:
description: LogLevel defines a log level for Envoy Gateway
and EnvoyProxy system logs.
enum:
+ - trace
- debug
- info
- - error
- warn
+ - error
type: string
default:
default: warn
@@ -20952,6 +24391,15 @@ spec:
and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
+ luaValidation:
+ description: |-
+ LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ Default: Strict
+ enum:
+ - Strict
+ - InsecureSyntax
+ - Disabled
+ type: string
mergeGateways:
description: |-
MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
@@ -21114,9 +24562,24 @@ spec:
type: object
type: array
image:
- description: Image specifies the EnvoyProxy container
- image to be used, instead of the default image.
+ description: |-
+ Image specifies the EnvoyProxy container image to be used including a tag, instead of the default image.
+ This field is mutually exclusive with ImageRepository.
type: string
+ x-kubernetes-validations:
+ - message: Image must include a tag and allowed characters
+ only (e.g., 'repo:tag').
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
+ imageRepository:
+ description: |-
+ ImageRepository specifies the container image repository to be used without specifying a tag.
+ The default tag will be used.
+ This field is mutually exclusive with Image.
+ type: string
+ x-kubernetes-validations:
+ - message: ImageRepository must contain only allowed
+ characters and must not include a tag.
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$')
resources:
description: |-
Resources required by this container.
@@ -21441,6 +24904,9 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: Either image or imageRepository can be set.
+ rule: '!has(self.image) || !has(self.imageRepository)'
name:
description: |-
Name of the daemonSet.
@@ -21761,7 +25227,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -21776,7 +25241,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -21946,7 +25410,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -21961,7 +25424,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -22130,7 +25592,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -22145,7 +25606,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -22315,7 +25775,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -22330,7 +25789,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -22859,7 +26317,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -22870,7 +26327,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
@@ -23860,7 +27316,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -24951,9 +28407,24 @@ spec:
type: object
type: array
image:
- description: Image specifies the EnvoyProxy container
- image to be used, instead of the default image.
+ description: |-
+ Image specifies the EnvoyProxy container image to be used including a tag, instead of the default image.
+ This field is mutually exclusive with ImageRepository.
type: string
+ x-kubernetes-validations:
+ - message: Image must include a tag and allowed characters
+ only (e.g., 'repo:tag').
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
+ imageRepository:
+ description: |-
+ ImageRepository specifies the container image repository to be used without specifying a tag.
+ The default tag will be used.
+ This field is mutually exclusive with Image.
+ type: string
+ x-kubernetes-validations:
+ - message: ImageRepository must contain only allowed
+ characters and must not include a tag.
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$')
resources:
description: |-
Resources required by this container.
@@ -25278,6 +28749,9 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: Either image or imageRepository can be set.
+ rule: '!has(self.image) || !has(self.imageRepository)'
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -25453,7 +28927,7 @@ spec:
Cannot be updated.
items:
description: EnvFromSource represents the source
- of a set of ConfigMaps
+ of a set of ConfigMaps or Secrets
properties:
configMapRef:
description: The ConfigMap to select from
@@ -25474,9 +28948,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
prefix:
- description: An optional identifier to prepend
- to each key in the ConfigMap. Must be a
- C_IDENTIFIER.
+ description: Optional text to prepend to the
+ name of each environment variable. Must
+ be a C_IDENTIFIER.
type: string
secretRef:
description: The Secret to select from
@@ -25748,6 +29222,12 @@ spec:
- port
type: object
type: object
+ stopSignal:
+ description: |-
+ StopSignal defines which signal will be sent to a container when it is being stopped.
+ If not specified, the default is defined by the container runtime in use.
+ StopSignal can only be set for Pods with a non-empty .spec.os.name
+ type: string
type: object
livenessProbe:
description: |-
@@ -27050,7 +30530,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27065,7 +30544,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27235,7 +30713,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27250,7 +30727,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27419,7 +30895,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27434,7 +30909,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27604,7 +31078,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -27619,7 +31092,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -28148,7 +31620,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -28159,7 +31630,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
@@ -29149,7 +32619,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -30100,9 +33570,8 @@ spec:
type: object
type: object
envoyHpa:
- description: |-
- EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
- Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored.
+ description: EnvoyHpa defines the Horizontal Pod Autoscaler
+ settings for Envoy Proxy Deployment.
properties:
behavior:
description: |-
@@ -30121,7 +33590,9 @@ spec:
policies:
description: |-
policies is a list of potential scaling polices which can be used during scaling.
- At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
+ If not set, use the default values:
+ - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+ - For scale down: allow all pods to be removed in a 15s window.
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past
@@ -30165,6 +33636,24 @@ spec:
- For scale down: 300 (i.e. the stabilization window is 300 seconds long).
format: int32
type: integer
+ tolerance:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ tolerance is the tolerance on the ratio between the current and desired
+ metric value under which no updates are made to the desired number of
+ replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+ set, the default cluster-wide tolerance is applied (by default 10%).
+
+ For example, if autoscaling is configured with a memory consumption target of 100Mi,
+ and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+ triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+ This is an alpha field and requires enabling the HPAConfigurableTolerance
+ feature gate.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
type: object
scaleUp:
description: |-
@@ -30177,7 +33666,9 @@ spec:
policies:
description: |-
policies is a list of potential scaling polices which can be used during scaling.
- At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
+ If not set, use the default values:
+ - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+ - For scale down: allow all pods to be removed in a 15s window.
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past
@@ -30221,6 +33712,24 @@ spec:
- For scale down: 300 (i.e. the stabilization window is 300 seconds long).
format: int32
type: integer
+ tolerance:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ tolerance is the tolerance on the ratio between the current and desired
+ metric value under which no updates are made to the desired number of
+ replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+ set, the default cluster-wide tolerance is applied (by default 10%).
+
+ For example, if autoscaling is configured with a memory consumption target of 100Mi,
+ and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+ triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+ This is an alpha field and requires enabling the HPAConfigurableTolerance
+ feature gate.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
type: object
type: object
maxReplicas:
@@ -30721,6 +34230,11 @@ spec:
x-kubernetes-validations:
- message: minReplicas must be greater than 0
rule: self > 0
+ name:
+ description: |-
+ Name of the horizontalPodAutoScaler.
+ When unset, this defaults to an autogenerated name.
+ type: string
patch:
description: Patch defines how to perform the patch operation
to the HorizontalPodAutoscaler
@@ -30748,13 +34262,29 @@ spec:
description: EnvoyPDB allows to control the pod disruption
budget of an Envoy Proxy.
properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ MaxUnavailable specifies the maximum amount of pods (can be expressed as integers or as a percentage) that can be unavailable at all times during voluntary disruptions,
+ such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
+ and resilience during maintenance operations. Cannot be combined with minAvailable.
+ x-kubernetes-int-or-string: true
minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
description: |-
- MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
+ MinAvailable specifies the minimum amount of pods (can be expressed as integers or as a percentage) that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
- and resilience during maintenance operations.
- format: int32
- type: integer
+ and resilience during maintenance operations. Cannot be combined with maxUnavailable.
+ x-kubernetes-int-or-string: true
+ name:
+ description: |-
+ Name of the podDisruptionBudget.
+ When unset, this defaults to an autogenerated name.
+ type: string
patch:
description: Patch defines how to perform the patch operation
to the PodDisruptionBudget
@@ -30773,6 +34303,11 @@ spec:
- value
type: object
type: object
+ x-kubernetes-validations:
+ - message: only one of minAvailable or maxUnavailable can
+ be specified
+ rule: (has(self.minAvailable) && !has(self.maxUnavailable))
+ || (!has(self.minAvailable) && has(self.maxUnavailable))
envoyService:
description: |-
EnvoyService defines the desired state of the Envoy service resource.
@@ -30884,6 +34419,16 @@ spec:
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ envoyServiceAccount:
+ description: EnvoyServiceAccount defines the desired state
+ of the Envoy service account resource.
+ properties:
+ name:
+ description: |-
+ Name of the Service Account.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ type: object
useListenerPortAsContainerPort:
description: |-
UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
@@ -30926,11 +34471,13 @@ spec:
description: |-
DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
minDrainDuration:
description: |-
MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
telemetry:
@@ -31225,6 +34772,23 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend
@@ -31267,6 +34831,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -31356,11 +34932,18 @@ spec:
description: HTTPStatus
defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -31377,12 +34960,18 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines
the time between active health
checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -31471,7 +35060,7 @@ spec:
description: Timeout defines the
time to wait for a health check
response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -31514,6 +35103,16 @@ spec:
is GRPC.
rule: 'has(self.grpc) ? self.type
== ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check
configuration
@@ -31524,7 +35123,7 @@ spec:
defines the base duration for
which a host will be ejected
on consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -31552,7 +35151,7 @@ spec:
description: Interval defines
the time between passive health
checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -31647,6 +35246,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -31698,6 +35298,37 @@ spec:
be set.
rule: 'self.type == ''Cookie'' ?
has(self.cookie) : !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines
+ the sources to extract endpoint
+ override information from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract
+ endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -31710,6 +35341,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -31728,6 +35360,39 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the
+ configuration related to the distribution
+ of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer
+ sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold
+ is the minimum number of
+ total upstream endpoints
+ across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -31741,6 +35406,11 @@ spec:
load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only
+ supported for LeastRequest, Random,
+ and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash''
+ ? !has(self.zoneAware) : true '
proxyProtocol:
description: ProxyProtocol enables the
Proxy Protocol when communicating with
@@ -31764,6 +35434,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number
@@ -31786,19 +35463,19 @@ spec:
description: BaseInterval
is the base interval between
retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout
per retry attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -31814,8 +35491,7 @@ spec:
items:
description: HTTPStatus defines
the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -31830,6 +35506,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -31964,12 +35641,16 @@ spec:
- message: must have at least one backend in backendRefs
rule: has(self.backendRefs) && self.backendRefs.size()
> 0
- - message: BackendRefs only supports Service kind.
+ - message: BackendRefs only support Service and
+ Backend kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
- f.kind == ''Service'') : true'
- - message: BackendRefs only supports Core group.
+ f.kind == ''Service'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
- f.group == "")) : true'
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
file:
description: File defines the file accesslog sink.
properties:
@@ -32202,6 +35883,23 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend
@@ -32244,6 +35942,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -32333,11 +36043,18 @@ spec:
description: HTTPStatus
defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -32354,12 +36071,18 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines
the time between active health
checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -32448,7 +36171,7 @@ spec:
description: Timeout defines the
time to wait for a health check
response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -32491,6 +36214,16 @@ spec:
is GRPC.
rule: 'has(self.grpc) ? self.type
== ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check
configuration
@@ -32501,7 +36234,7 @@ spec:
defines the base duration for
which a host will be ejected
on consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -32529,7 +36262,7 @@ spec:
description: Interval defines
the time between passive health
checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -32624,6 +36357,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -32675,6 +36409,37 @@ spec:
be set.
rule: 'self.type == ''Cookie'' ?
has(self.cookie) : !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines
+ the sources to extract endpoint
+ override information from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract
+ endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -32687,6 +36452,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -32705,6 +36471,39 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the
+ configuration related to the distribution
+ of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer
+ sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold
+ is the minimum number of
+ total upstream endpoints
+ across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -32718,6 +36517,11 @@ spec:
load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only
+ supported for LeastRequest, Random,
+ and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash''
+ ? !has(self.zoneAware) : true '
proxyProtocol:
description: ProxyProtocol enables the
Proxy Protocol when communicating with
@@ -32741,6 +36545,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number
@@ -32763,19 +36574,19 @@ spec:
description: BaseInterval
is the base interval between
retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout
per retry attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -32791,8 +36602,7 @@ spec:
items:
description: HTTPStatus defines
the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -32807,6 +36617,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -32916,12 +36727,16 @@ spec:
- message: BackendRefs must be used, backendRef
is not supported.
rule: '!has(self.backendRef)'
- - message: BackendRefs only supports Service kind.
+ - message: BackendRefs only support Service and
+ Backend kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
- f.kind == ''Service'') : true'
- - message: BackendRefs only supports Core group.
+ f.kind == ''Service'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
- f.group == "")) : true'
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
type:
description: Type defines the type of accesslog
sink.
@@ -32968,6 +36783,21 @@ spec:
description: Metrics defines metrics configuration for managed
proxies.
properties:
+ clusterStatName:
+ description: |-
+ ClusterStatName defines the value of cluster alt_stat_name, determining how cluster stats are named.
+ For more details, see envoy docs: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html
+ The supported operators for this pattern are:
+ %ROUTE_NAME%: name of Gateway API xRoute resource
+ %ROUTE_NAMESPACE%: namespace of Gateway API xRoute resource
+ %ROUTE_KIND%: kind of Gateway API xRoute resource
+ %ROUTE_RULE_NAME%: name of the Gateway API xRoute section
+ %ROUTE_RULE_NUMBER%: name of the Gateway API xRoute section
+ %BACKEND_REFS%: names of all backends referenced in /|/|... format
+ Only xDS Clusters created for HTTPRoute and GRPCRoute are currently supported.
+ Default: %ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/rule/%ROUTE_RULE_NUMBER%
+ Example: httproute/my-ns/my-route/rule/0
+ type: string
enablePerEndpointStats:
description: |-
EnablePerEndpointStats enables per endpoint envoy stats metrics.
@@ -33273,6 +37103,23 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection
@@ -33314,6 +37161,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -33399,11 +37258,18 @@ spec:
items:
description: HTTPStatus defines
the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -33419,11 +37285,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time
between active health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -33507,7 +37379,7 @@ spec:
default: 1s
description: Timeout defines the time
to wait for a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -33547,6 +37419,16 @@ spec:
if the Health Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC''
: true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -33555,7 +37437,7 @@ spec:
description: BaseEjectionTime defines
the base duration for which a host
will be ejected on consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -33582,7 +37464,7 @@ spec:
default: 3s
description: Interval defines the time
between passive health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -33674,6 +37556,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -33722,6 +37605,36 @@ spec:
the cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the
+ sources to extract endpoint override
+ information from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract endpoint
+ override information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -33734,6 +37647,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -33752,6 +37666,38 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration
+ related to the distribution of requests
+ between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer sending
+ traffic to the local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold
+ is the minimum number of total
+ upstream endpoints across all
+ zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -33764,6 +37710,11 @@ spec:
for RoundRobin and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported
+ for LeastRequest, Random, and RoundRobin
+ load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy
Protocol when communicating with the backend.
@@ -33786,6 +37737,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of
@@ -33806,19 +37764,19 @@ spec:
baseInterval:
description: BaseInterval is the
base interval between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout
per retry attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -33834,8 +37792,7 @@ spec:
items:
description: HTTPStatus defines the
http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -33849,6 +37806,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -33949,12 +37907,16 @@ spec:
- message: BackendRefs must be used, backendRef is not
supported.
rule: '!has(self.backendRef)'
- - message: only supports Service kind.
+ - message: BackendRefs only support Service and Backend
+ kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
- f.kind == ''Service'') : true'
- - message: BackendRefs only supports Core group.
+ f.kind == ''Service'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
- f.group == "")) : true'
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
type:
default: OpenTelemetry
description: |-
@@ -34258,6 +38220,22 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream
+ cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the
+ maximum number of connections that Envoy
+ will establish per-endpoint to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection
@@ -34299,6 +38277,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -34383,11 +38373,18 @@ spec:
items:
description: HTTPStatus defines the
http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -34403,11 +38400,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between
active health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -34491,7 +38494,7 @@ spec:
default: 1s
description: Timeout defines the time to wait
for a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -34530,6 +38533,16 @@ spec:
Health Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC''
: true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -34538,7 +38551,7 @@ spec:
description: BaseEjectionTime defines the
base duration for which a host will be ejected
on consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -34565,7 +38578,7 @@ spec:
default: 3s
description: Interval defines the time between
passive health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -34657,6 +38670,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -34704,6 +38718,36 @@ spec:
the cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources
+ to extract endpoint override information
+ from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract endpoint override
+ information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -34716,6 +38760,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -34734,6 +38779,37 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration
+ related to the distribution of requests between
+ locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the
+ local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is
+ the minimum number of total upstream
+ endpoints across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -34746,6 +38822,10 @@ spec:
RoundRobin and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for
+ LeastRequest, Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol
when communicating with the backend.
@@ -34768,6 +38848,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries
@@ -34788,19 +38875,19 @@ spec:
baseInterval:
description: BaseInterval is the base
interval between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per retry
attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -34816,8 +38903,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -34831,6 +38917,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -34921,6 +39008,18 @@ spec:
format: int32
minimum: 0
type: integer
+ serviceName:
+ description: |-
+ ServiceName defines the service name to use in tracing configuration.
+ If not set, Envoy Gateway will use a default service name set as
+ "name.namespace" (e.g., "my-gateway.default").
+ Note: This field is only supported for OpenTelemetry and Datadog tracing providers.
+ For Zipkin, the service name in traces is always derived from the Envoy --service-cluster flag
+ (typically "namespace/name" format). Setting this field has no effect for Zipkin.
+ type: string
+ x-kubernetes-validations:
+ - message: serviceName cannot be empty if provided
+ rule: self != ""
type:
default: OpenTelemetry
description: Type defines the tracing provider type.
@@ -34953,12 +39052,14 @@ spec:
rule: has(self.host) || self.backendRefs.size() > 0
- message: BackendRefs must be used, backendRef is not supported.
rule: '!has(self.backendRef)'
- - message: only supports Service kind.
+ - message: BackendRefs only support Service and Backend kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
- == ''Service'') : true'
- - message: BackendRefs only supports Core group.
+ == ''Service'' || f.kind == ''Backend'') : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
- f.group == "")) : true'
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
samplingFraction:
description: |-
SamplingFraction represents the fraction of requests that should be
@@ -34983,7 +39084,6 @@ spec:
- message: numerator must be less than or equal to denominator
rule: self.numerator <= self.denominator
samplingRate:
- default: 100
description: |-
SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
@@ -35020,7 +39120,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: httproutefilters.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -35066,6 +39166,80 @@ spec:
spec:
description: Spec defines the desired state of HTTPRouteFilter.
properties:
+ credentialInjection:
+ description: |-
+ HTTPCredentialInjectionFilter defines the configuration to inject credentials into the request.
+ This is useful when the backend service requires credentials in the request, and the original
+ request does not contain them. The filter can inject credentials into the request before forwarding
+ it to the backend service.
+ properties:
+ credential:
+ description: Credential is the credential to be injected.
+ properties:
+ valueRef:
+ description: |-
+ ValueRef is a reference to the secret containing the credentials to be injected.
+ This is an Opaque secret. The credential should be stored in the key
+ "credential", and the value should be the credential to be injected.
+ For example, for basic authentication, the value should be "Basic ".
+ for bearer token, the value should be "Bearer ".
+ Note: The secret must be in the same namespace as the HTTPRouteFilter.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - valueRef
+ type: object
+ header:
+ description: |-
+ Header is the name of the header where the credentials are injected.
+ If not specified, the credentials are injected into the Authorization header.
+ type: string
+ overwrite:
+ description: |-
+ Whether to overwrite the value or not if the injected headers already exist.
+ If not specified, the default value is false.
+ type: boolean
+ required:
+ - credential
+ type: object
directResponse:
description: HTTPDirectResponseFilter defines the configuration to
return a fixed response.
@@ -35243,7 +39417,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.17.3
name: securitypolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -35385,6 +39559,15 @@ spec:
type: array
type: object
type: array
+ forwardClientIDHeader:
+ description: |-
+ ForwardClientIDHeader is the name of the header to forward the client identity to the backend
+ service. The header will be added to the request with the client id as the value.
+ type: string
+ sanitize:
+ description: Sanitize indicates whether to remove the API key
+ from the request before forwarding it to the backend service.
+ type: boolean
required:
- credentialRefs
- extractFrom
@@ -35426,6 +39609,46 @@ spec:
maxLength: 253
minLength: 1
type: string
+ operation:
+ description: |-
+ Operation specifies the operation of a request, such as HTTP methods.
+ If not specified, all operations are matched on.
+ properties:
+ methods:
+ description: |-
+ Methods are the HTTP methods of the request.
+ If multiple methods are specified, all specified methods are allowed or denied, based on the action of the rule.
+ items:
+ description: |-
+ HTTPMethod describes how to select a HTTP route by matching the HTTP
+ method as defined by
+ [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) and
+ [RFC 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2).
+ The value is expected in upper case.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - methods
+ type: object
principal:
description: |-
Principal specifies the client identity of a request.
@@ -35443,7 +39666,7 @@ spec:
The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
- You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
+ You can use the `ClientIPDetection` or the `ProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected.
items:
description: |-
@@ -35453,6 +39676,39 @@ spec:
type: string
minItems: 1
type: array
+ headers:
+ description: |-
+ Headers authorize the request based on user identity extracted from custom headers.
+ If multiple headers are specified, all headers must match for the rule to match.
+ items:
+ description: AuthorizationHeaderMatch specifies how
+ to match against the value of an HTTP header within
+ a authorization rule.
+ properties:
+ name:
+ description: |-
+ Name of the HTTP header.
+ The header name is case-insensitive unless PreserveHeaderCase is set to true.
+ For example, "Foo" and "foo" are considered the same header.
+ maxLength: 256
+ minLength: 1
+ type: string
+ values:
+ description: |-
+ Values are the values that the header must match.
+ If multiple values are specified, the rule will match if any of the values match.
+ items:
+ type: string
+ maxItems: 256
+ minItems: 1
+ type: array
+ required:
+ - name
+ - values
+ type: object
+ maxItems: 256
+ minItems: 1
+ type: array
jwt:
description: |-
JWT authorize the request based on the JWT claims and scopes.
@@ -35539,8 +39795,9 @@ spec:
rule: (has(self.claims) || has(self.scopes))
type: object
x-kubernetes-validations:
- - message: at least one of clientCIDRs or jwt must be specified
- rule: (has(self.clientCIDRs) || has(self.jwt))
+ - message: at least one of clientCIDRs, jwt, or headers
+ must be specified
+ rule: (has(self.clientCIDRs) || has(self.jwt) || has(self.headers))
required:
- action
- principal
@@ -35551,6 +39808,13 @@ spec:
description: BasicAuth defines the configuration for the HTTP Basic
Authentication.
properties:
+ forwardUsernameHeader:
+ description: |-
+ This field specifies the header name to forward a successfully authenticated user to
+ the backend. The header will be added to the request with the username as the value.
+
+ If it is not specified, the username will not be forwarded.
+ type: string
users:
description: |-
The Kubernetes secret which contains the username-password pairs in
@@ -35671,6 +39935,7 @@ spec:
description: |-
MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header..
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
extAuth:
@@ -35699,6 +39964,8 @@ spec:
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
+
+ If set to true, the External Authorization will also be bypassed if its configuration is invalid.
type: boolean
grpc:
description: |-
@@ -35920,6 +40187,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection settings.
@@ -35960,6 +40242,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -36041,11 +40335,18 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -36060,11 +40361,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between
active health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -36143,7 +40450,7 @@ spec:
default: 1s
description: Timeout defines the time to wait
for a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -36180,6 +40487,16 @@ spec:
Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC'' :
true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -36188,7 +40505,7 @@ spec:
description: BaseEjectionTime defines the base
duration for which a host will be ejected on
consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -36214,7 +40531,7 @@ spec:
default: 3s
description: Interval defines the time between
passive health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -36306,6 +40623,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -36352,6 +40670,35 @@ spec:
cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -36364,6 +40711,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -36382,6 +40730,37 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality
+ zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the
+ minimum number of total upstream endpoints
+ across all zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -36394,6 +40773,10 @@ spec:
and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol
when communicating with the backend.
@@ -36416,6 +40799,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries to
@@ -36436,19 +40826,19 @@ spec:
baseInterval:
description: BaseInterval is the base interval
between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per retry
attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -36464,8 +40854,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -36479,6 +40868,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -36559,13 +40949,16 @@ spec:
x-kubernetes-validations:
- message: backendRef or backendRefs needs to be set
rule: has(self.backendRef) || self.backendRefs.size() > 0
- - message: BackendRefs only supports Service and Backend kind.
+ - message: BackendRefs only supports Service, ServiceImport, and
+ Backend kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
- == ''Service'' || f.kind == ''Backend'') : true'
- - message: BackendRefs only supports Core and gateway.envoyproxy.io
- group.
+ == ''Service'' || f.kind == ''ServiceImport'' || f.kind ==
+ ''Backend'') : true'
+ - message: BackendRefs only supports Core, multicluster.x-k8s.io,
+ and gateway.envoyproxy.io groups.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
- == "" || f.group == ''gateway.envoyproxy.io'')) : true'
+ == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
+ ''gateway.envoyproxy.io'')) : true'
headersToExtAuth:
description: |-
HeadersToExtAuth defines the client request headers that will be included
@@ -36801,6 +41194,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection settings.
@@ -36841,6 +41249,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -36922,11 +41342,18 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -36941,11 +41368,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between
active health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -37024,7 +41457,7 @@ spec:
default: 1s
description: Timeout defines the time to wait
for a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -37061,6 +41494,16 @@ spec:
Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC'' :
true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -37069,7 +41512,7 @@ spec:
description: BaseEjectionTime defines the base
duration for which a host will be ejected on
consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -37095,7 +41538,7 @@ spec:
default: 3s
description: Interval defines the time between
passive health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -37187,6 +41630,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -37233,6 +41677,35 @@ spec:
cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -37245,6 +41718,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -37263,6 +41737,37 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality
+ zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the
+ minimum number of total upstream endpoints
+ across all zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -37275,6 +41780,10 @@ spec:
and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol
when communicating with the backend.
@@ -37297,6 +41806,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries to
@@ -37317,19 +41833,19 @@ spec:
baseInterval:
description: BaseInterval is the base interval
between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per retry
attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -37345,8 +41861,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -37360,6 +41875,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -37450,19 +41966,27 @@ spec:
description: |-
Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
- or else the authorization request will be sent to the root path.
+ or else the authorization request will use the path of the original request.
+
+ Please note that the original request path will be appended to the path specified here.
+ For example, if the original request path is "/hello", and the path specified here is "/auth",
+ then the path of the authorization request will be "/auth/hello". If the path is not specified,
+ the path of the authorization request will be "/hello".
type: string
type: object
x-kubernetes-validations:
- message: backendRef or backendRefs needs to be set
rule: has(self.backendRef) || self.backendRefs.size() > 0
- - message: BackendRefs only supports Service and Backend kind.
+ - message: BackendRefs only supports Service, ServiceImport, and
+ Backend kind.
rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
- == ''Service'' || f.kind == ''Backend'') : true'
- - message: BackendRefs only supports Core and gateway.envoyproxy.io
- group.
+ == ''Service'' || f.kind == ''ServiceImport'' || f.kind ==
+ ''Backend'') : true'
+ - message: BackendRefs only supports Core, multicluster.x-k8s.io,
+ and gateway.envoyproxy.io groups.
rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
- == "" || f.group == ''gateway.envoyproxy.io'')) : true'
+ == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
+ ''gateway.envoyproxy.io'')) : true'
recomputeRoute:
description: |-
RecomputeRoute clears the route cache and recalculates the routing decision.
@@ -37577,6 +42101,63 @@ spec:
the JWT issuer is not checked.
maxLength: 253
type: string
+ localJWKS:
+ description: LocalJWKS defines how to get the JSON Web Key
+ Sets (JWKS) from a local source.
+ properties:
+ inline:
+ description: Inline contains the value as an inline
+ string.
+ type: string
+ type:
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the body value.
+ Valid values are Inline and ValueRef, default is Inline.
+ enum:
+ - Inline
+ - ValueRef
+ type: string
+ valueRef:
+ description: |-
+ ValueRef is a reference to a local ConfigMap that contains the JSON Web Key Sets (JWKS).
+
+ The value of key `jwks` in the ConfigMap will be used.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: Exactly one of inline or valueRef must be set
+ with correct type.
+ rule: (self.type == 'Inline' && has(self.inline) && !has(self.valueRef))
+ || (self.type == 'ValueRef' && !has(self.inline) &&
+ has(self.valueRef))
name:
description: |-
Name defines a unique name for the JWT provider. A name can have a variety of forms,
@@ -37810,6 +42391,22 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream
+ cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the
+ maximum number of connections that Envoy
+ will establish per-endpoint to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection
@@ -37851,6 +42448,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -37935,11 +42544,18 @@ spec:
items:
description: HTTPStatus defines the
http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -37955,11 +42571,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between
active health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -38043,7 +42665,7 @@ spec:
default: 1s
description: Timeout defines the time to
wait for a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -38083,6 +42705,16 @@ spec:
the Health Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC''
: true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -38091,7 +42723,7 @@ spec:
description: BaseEjectionTime defines the
base duration for which a host will be
ejected on consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -38118,7 +42750,7 @@ spec:
default: 3s
description: Interval defines the time between
passive health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -38210,6 +42842,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -38257,6 +42890,36 @@ spec:
the cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources
+ to extract endpoint override information
+ from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract endpoint
+ override information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -38269,6 +42932,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -38287,6 +42951,37 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration
+ related to the distribution of requests between
+ locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer sending traffic
+ to the local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is
+ the minimum number of total upstream
+ endpoints across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -38299,6 +42994,11 @@ spec:
for RoundRobin and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported
+ for LeastRequest, Random, and RoundRobin load
+ balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol
when communicating with the backend.
@@ -38321,6 +43021,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries
@@ -38341,19 +43048,19 @@ spec:
baseInterval:
description: BaseInterval is the base
interval between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per
retry attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -38369,8 +43076,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -38384,6 +43090,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -38482,13 +43189,16 @@ spec:
!has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true
required:
- name
- - remoteJWKS
type: object
x-kubernetes-validations:
- message: claimToHeaders must be specified if recomputeRoute
- is enabled
+ is enabled.
rule: '(has(self.recomputeRoute) && self.recomputeRoute) ?
size(self.claimToHeaders) > 0 : true'
+ - message: either remoteJWKS or localJWKS must be specified.
+ rule: has(self.remoteJWKS) || has(self.localJWKS)
+ - message: remoteJWKS and localJWKS cannot both be specified.
+ rule: '!(has(self.remoteJWKS) && has(self.localJWKS))'
maxItems: 4
minItems: 1
type: array
@@ -38503,8 +43213,57 @@ spec:
description: |-
The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+ Only one of clientID or clientIDRef must be set.
minLength: 1
type: string
+ clientIDRef:
+ description: |-
+ The Kubernetes secret which contains the client ID to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ Exactly one of clientID or clientIDRef must be set.
+ This is an Opaque secret. The client ID should be stored in the key "client-id".
+
+ Only one of clientID or clientIDRef must be set.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
clientSecret:
description: |-
The Kubernetes secret which contains the OIDC client secret to be used in the
@@ -38551,6 +43310,18 @@ spec:
required:
- name
type: object
+ cookieConfig:
+ description: |-
+ CookieConfigs allows setting the SameSite attribute for OIDC cookies.
+ By default, its unset.
+ properties:
+ sameSite:
+ enum:
+ - Lax
+ - Strict
+ - None
+ type: string
+ type: object
cookieDomain:
description: |-
The optional domain to set the access and ID token cookies on.
@@ -38586,6 +43357,7 @@ spec:
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
defaultTokenTTL:
description: |-
@@ -38597,7 +43369,50 @@ spec:
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ denyRedirect:
+ description: |-
+ Any request that matches any of the provided matchers (with either tokens that are expired or missing tokens) will not be redirected to the OIDC Provider.
+ This behavior can be useful for AJAX or machine requests.
+ properties:
+ headers:
+ description: Defines the headers to match against the request
+ to deny redirect to the OIDC Provider.
+ items:
+ description: OIDCDenyRedirectHeader defines how a header
+ is matched
+ properties:
+ name:
+ description: Specifies the name of the header in the
+ request.
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that the
+ match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - headers
+ type: object
forwardAccessToken:
description: |-
ForwardAccessToken indicates whether the Envoy should forward the access token
@@ -38610,6 +43425,16 @@ spec:
If not specified, uses a default logout path "/logout"
type: string
+ passThroughAuthHeader:
+ description: |-
+ Skips OIDC authentication when the request contains a header that will be extracted by the JWT filter. Unless
+ explicitly stated otherwise in the extractFrom field, this will be the "Authorization: Bearer ..." header.
+
+ The passThroughAuthHeader option is typically used for non-browser clients that may not be able to handle OIDC
+ redirects and wish to directly supply a token instead.
+
+ If not specified, defaults to false.
+ type: boolean
provider:
description: The OIDC Provider configuration.
properties:
@@ -38832,6 +43657,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
type: object
connection:
description: Connection includes backend connection settings.
@@ -38872,6 +43712,18 @@ spec:
description: |-
DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
type: string
respectDnsTtl:
description: |-
@@ -38953,11 +43805,18 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
method:
description: |-
Method defines the HTTP method used for health checking.
@@ -38972,11 +43831,17 @@ spec:
required:
- path
type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
interval:
default: 3s
description: Interval defines the time between
active health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
tcp:
description: |-
@@ -39055,7 +43920,7 @@ spec:
default: 1s
description: Timeout defines the time to wait
for a health check response.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type:
allOf:
@@ -39092,6 +43957,16 @@ spec:
Checker type is GRPC.
rule: 'has(self.grpc) ? self.type == ''GRPC'' :
true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
passive:
description: Passive passive check configuration
properties:
@@ -39100,7 +43975,7 @@ spec:
description: BaseEjectionTime defines the base
duration for which a host will be ejected on
consecutive failures.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
consecutive5XxErrors:
default: 5
@@ -39126,7 +44001,7 @@ spec:
default: 3s
description: Interval defines the time between
passive health checks.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxEjectionPercent:
default: 10
@@ -39218,6 +44093,7 @@ spec:
description: |-
TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- name
@@ -39264,6 +44140,35 @@ spec:
cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
: !has(self.cookie)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
slowStart:
description: |-
SlowStart defines the configuration related to the slow start load balancer policy.
@@ -39276,6 +44181,7 @@ spec:
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
required:
- window
@@ -39294,6 +44200,37 @@ spec:
- Random
- RoundRobin
type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality
+ zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the
+ minimum number of total upstream endpoints
+ across all zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ type: object
+ type: object
required:
- type
type: object
@@ -39306,6 +44243,10 @@ spec:
and LeastRequest load balancers.
rule: 'self.type in [''Random'', ''ConsistentHash'']
? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
proxyProtocol:
description: ProxyProtocol enables the Proxy Protocol
when communicating with the backend.
@@ -39328,6 +44269,13 @@ spec:
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
numRetries:
default: 2
description: NumRetries is the number of retries to
@@ -39348,19 +44296,19 @@ spec:
baseInterval:
description: BaseInterval is the base interval
between retries.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxInterval:
description: |-
MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
timeout:
description: Timeout is the timeout per retry
attempt.
- format: duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
retryOn:
@@ -39376,8 +44324,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -39391,6 +44338,7 @@ spec:
- 5xx
- gateway-error
- reset
+ - reset-before-request
- connect-failure
- retriable-4xx
- refused-stream
@@ -39467,6 +44415,13 @@ spec:
type: object
type: object
type: object
+ endSessionEndpoint:
+ description: |-
+ The OIDC Provider's [end session endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout).
+
+ If the end session endpoint is provided, EG will use it to log out the user from the OIDC Provider when the user accesses the logout path.
+ EG will also try to discover the end session endpoint from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) when authorizationEndpoint or tokenEndpoint is not provided.
+ type: string
issuer:
description: |-
The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
@@ -39524,10 +44479,13 @@ spec:
type: string
type: array
required:
- - clientID
- clientSecret
- provider
type: object
+ x-kubernetes-validations:
+ - message: only one of clientID or clientIDRef must be set
+ rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
+ && has(self.clientIDRef))
targetRef:
description: |-
TargetRef is the name of the resource this policy is being attached to.
@@ -39647,6 +44605,39 @@ spec:
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -39655,7 +44646,6 @@ spec:
type: object
required:
- kind
- - matchLabels
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
@@ -39674,17 +44664,12 @@ spec:
- message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
''GRPCRoute''] : true'
- - message: this policy does not yet support the sectionName field
- rule: 'has(self.targetRef) ? !has(self.targetRef.sectionName) : true'
- message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
''gateway.networking.k8s.io'') : true '
- message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
''HTTPRoute'', ''GRPCRoute'']) : true '
- - message: this policy does not yet support the sectionName field
- rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName))
- : true'
- message: if authorization.rules.principal.jwt is used, jwt must be defined
rule: '(has(self.authorization) && has(self.authorization.rules) &&
self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt)
@@ -40001,10 +44986,10 @@ metadata:
name: envoy-gateway
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
---
# Source: gateway-helm/templates/envoy-gateway-config.yaml
@@ -40014,15 +44999,16 @@ metadata:
name: envoy-gateway-config
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
data:
envoy-gateway.yaml: |
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
+ extensionApis: {}
gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
logging:
@@ -40032,7 +45018,7 @@ data:
kubernetes:
rateLimitDeployment:
container:
- image: docker.io/envoyproxy/ratelimit:0141a24f
+ image: docker.io/envoyproxy/ratelimit:e74a664a
patch:
type: StrategicMerge
value:
@@ -40043,7 +45029,7 @@ data:
- imagePullPolicy: IfNotPresent
name: envoy-ratelimit
shutdownManager:
- image: docker.io/envoyproxy/gateway:v1.3.2
+ image: docker.io/envoyproxy/gateway:v1.5.7
type: Kubernetes
---
# Source: gateway-helm/templates/envoy-gateway-rbac.yaml
@@ -40166,6 +45152,17 @@ rules:
- backendtlspolicies/status
verbs:
- update
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - pods/binding
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
---
# Source: gateway-helm/templates/envoy-gateway-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -40188,10 +45185,10 @@ metadata:
name: tigera-gateway-api-gateway-helm-infra-manager
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
@@ -40203,6 +45200,7 @@ rules:
verbs:
- create
- get
+ - list
- delete
- deletecollection
- patch
@@ -40226,9 +45224,18 @@ rules:
verbs:
- create
- get
+ - list
- delete
- deletecollection
- patch
+- apiGroups:
+ - certificates.k8s.io
+ resources:
+ - clustertrustbundles
+ verbs:
+ - list
+ - get
+ - watch
---
# Source: gateway-helm/templates/leader-election-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -40237,10 +45244,10 @@ metadata:
name: tigera-gateway-api-gateway-helm-leader-election-role
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
@@ -40282,10 +45289,10 @@ metadata:
name: tigera-gateway-api-gateway-helm-infra-manager
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -40303,10 +45310,10 @@ metadata:
name: tigera-gateway-api-gateway-helm-leader-election-rolebinding
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -40325,10 +45332,10 @@ metadata:
namespace: 'tigera-gateway'
labels:
control-plane: envoy-gateway
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
spec:
selector:
@@ -40348,6 +45355,9 @@ spec:
- name: metrics
port: 19001
targetPort: 19001
+ - name: webhook
+ port: 9443
+ targetPort: 9443
---
# Source: gateway-helm/templates/envoy-gateway-deployment.yaml
apiVersion: apps/v1
@@ -40357,10 +45367,10 @@ metadata:
namespace: 'tigera-gateway'
labels:
control-plane: envoy-gateway
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
@@ -40391,7 +45401,7 @@ spec:
fieldPath: metadata.namespace
- name: KUBERNETES_CLUSTER_DOMAIN
value: cluster.local
- image: docker.io/envoyproxy/gateway:v1.3.2
+ image: docker.io/envoyproxy/gateway:v1.5.7
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -40409,6 +45419,8 @@ spec:
name: wasm
- containerPort: 19001
name: metrics
+ - name: webhook
+ containerPort: 9443
readinessProbe:
httpGet:
path: /readyz
@@ -40458,13 +45470,70 @@ metadata:
name: tigera-gateway-api-gateway-helm-certgen
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": pre-install
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+---
+# Source: gateway-helm/templates/certgen-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: 'tigera-gateway-api-gateway-helm-certgen:tigera-gateway'
+ labels:
+ helm.sh/chart: gateway-helm-v1.5.7
+ app.kubernetes.io/name: gateway-helm
+ app.kubernetes.io/instance: tigera-gateway-api
+ app.kubernetes.io/version: "v1.5.7"
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+rules:
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ resourceNames:
+ - 'envoy-gateway-topology-injector.tigera-gateway'
+ verbs:
+ - update
+ - patch
+---
+# Source: gateway-helm/templates/certgen-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: 'tigera-gateway-api-gateway-helm-certgen:tigera-gateway'
+ labels:
+ helm.sh/chart: gateway-helm-v1.5.7
+ app.kubernetes.io/name: gateway-helm
+ app.kubernetes.io/instance: tigera-gateway-api
+ app.kubernetes.io/version: "v1.5.7"
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: 'tigera-gateway-api-gateway-helm-certgen:tigera-gateway'
+subjects:
+ - kind: ServiceAccount
+ name: 'tigera-gateway-api-gateway-helm-certgen'
+ namespace: 'tigera-gateway'
---
# Source: gateway-helm/templates/certgen-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -40473,13 +45542,14 @@ metadata:
name: tigera-gateway-api-gateway-helm-certgen
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": pre-install
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
rules:
- apiGroups:
- ""
@@ -40497,13 +45567,14 @@ metadata:
name: tigera-gateway-api-gateway-helm-certgen
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": pre-install
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -40520,10 +45591,10 @@ metadata:
name: tigera-gateway-api-gateway-helm-certgen
namespace: 'tigera-gateway'
labels:
- helm.sh/chart: gateway-helm-v1.3.2
+ helm.sh/chart: gateway-helm-v1.5.7
app.kubernetes.io/name: gateway-helm
app.kubernetes.io/instance: tigera-gateway-api
- app.kubernetes.io/version: "v1.3.2"
+ app.kubernetes.io/version: "v1.5.7"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": pre-install, pre-upgrade
@@ -40548,7 +45619,7 @@ spec:
fieldPath: metadata.namespace
- name: KUBERNETES_CLUSTER_DOMAIN
value: cluster.local
- image: docker.io/envoyproxy/gateway:v1.3.2
+ image: docker.io/envoyproxy/gateway:v1.5.7
imagePullPolicy: IfNotPresent
name: envoy-gateway-certgen
securityContext:
@@ -40558,12 +45629,50 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
- runAsGroup: 65534
+ runAsGroup: 65532
runAsNonRoot: true
- runAsUser: 65534
+ runAsUser: 65532
seccompProfile:
type: RuntimeDefault
imagePullSecrets: []
restartPolicy: Never
serviceAccountName: tigera-gateway-api-gateway-helm-certgen
ttlSecondsAfterFinished: 30
+---
+# Source: gateway-helm/templates/envoy-proxy-topology-injector-webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: 'envoy-gateway-topology-injector.tigera-gateway'
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1"
+ labels:
+ app.kubernetes.io/component: topology-injector
+ helm.sh/chart: gateway-helm-v1.5.7
+ app.kubernetes.io/name: gateway-helm
+ app.kubernetes.io/instance: tigera-gateway-api
+ app.kubernetes.io/version: "v1.5.7"
+ app.kubernetes.io/managed-by: Helm
+webhooks:
+ - name: topology.webhook.gateway.envoyproxy.io
+ admissionReviewVersions: ["v1"]
+ sideEffects: None
+ clientConfig:
+ service:
+ name: envoy-gateway
+ namespace: 'tigera-gateway'
+ path: "/inject-pod-topology"
+ port: 9443
+ failurePolicy: Ignore
+ rules:
+ - operations: ["CREATE"]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods/binding"]
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - tigera-gateway
diff --git a/pkg/render/gateway_api_test.go b/pkg/render/gateway_api_test.go
index 060e570547..57e1cc5686 100644
--- a/pkg/render/gateway_api_test.go
+++ b/pkg/render/gateway_api_test.go
@@ -24,6 +24,7 @@ import (
operatorv1 "github.com/tigera/operator/api/v1"
"github.com/tigera/operator/pkg/components"
rtest "github.com/tigera/operator/pkg/render/common/test"
+ admissionregv1 "k8s.io/api/admissionregistration/v1"
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
@@ -161,15 +162,21 @@ var _ = Describe("Gateway API rendering tests", func() {
Installation: installation,
GatewayAPI: gatewayAPI,
})
+ By("resolving images")
objsToCreate, objsToDelete := gatewayComp.Objects()
Expect(objsToDelete).To(HaveLen(0))
+ Expect(objsToCreate).NotTo(BeEmpty())
+
rtest.ExpectResources(objsToCreate, []client.Object{
&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway"}},
&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}},
&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}},
&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}},
+ &admissionregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}},
&rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},
+ &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
&rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}},
+ &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
&rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-infra-manager", Namespace: "tigera-gateway"}},
&rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-leader-election-role", Namespace: "tigera-gateway"}},
&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-infra-manager", Namespace: "tigera-gateway"}},
@@ -262,8 +269,11 @@ var _ = Describe("Gateway API rendering tests", func() {
&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}},
&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}},
&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}},
+ &admissionregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}},
&rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},
+ &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
&rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}},
+ &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
&rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-infra-manager", Namespace: "tigera-gateway"}},
&rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-leader-election-role", Namespace: "tigera-gateway"}},
&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-infra-manager", Namespace: "tigera-gateway"}},
@@ -348,8 +358,11 @@ var _ = Describe("Gateway API rendering tests", func() {
&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}},
&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}},
&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}},
+ &admissionregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}},
&rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},
+ &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
&rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}},
+ &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
&rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-infra-manager", Namespace: "tigera-gateway"}},
&rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-leader-election-role", Namespace: "tigera-gateway"}},
&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-infra-manager", Namespace: "tigera-gateway"}},