diff --git a/.github/codecov.yml b/.github/codecov.yml
index af7439b56fc..60509f755b5 100644
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@@ -10,3 +10,7 @@ coverage:
target: 60%
threshold: 5%
if_ci_failed: error
+ignore:
+ - "cmd"
+ - "**/*.pb.go"
+ - "**/zz_generated.deepcopy.go"
diff --git a/.github/workflows/cherrypick.yaml b/.github/workflows/cherrypick.yaml
index b338f5dcf17..cbceef0cb9e 100644
--- a/.github/workflows/cherrypick.yaml
+++ b/.github/workflows/cherrypick.yaml
@@ -20,7 +20,7 @@ jobs:
with:
fetch-depth: 0
- name: Cherry pick into release/v1.0
- uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9
+ uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10
with:
branch: release/v1.0
title: "[release/v1.0] {old_title}"
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 59aa467cb00..cf1de63d84e 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -27,6 +27,8 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
+ - uses: ./tools/github-actions/setup-deps
+
- name: Run markdown linter
uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d # v3.3.0
with:
@@ -34,7 +36,7 @@ jobs:
config_file: ".github/markdown_lint_config.json"
- name: Install linkinator
- run: npm install -g linkinator
+ run: npm install -g linkinator@6.0.4
- name: Check links
run: make docs docs-check-links
@@ -51,6 +53,8 @@ jobs:
submodules: true
ref: ${{ github.event.pull_request.head.sha }}
+ - uses: ./tools/github-actions/setup-deps
+
- name: Setup Hugo
uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2.6.0
with:
diff --git a/OWNERS b/OWNERS
index a38205aca15..a8b84e2cc3d 100644
--- a/OWNERS
+++ b/OWNERS
@@ -21,7 +21,6 @@ reviewers:
- chauhanshubham
- kflynn
-- LanceEa
- tmsnan
- tanujd11
- cnvergence
diff --git a/README.md b/README.md
index 0c8eb33a63b..babe462ad38 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or
Kubernetes-based application gateway.
+[Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies.
## Documentation
diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go
index 483a224fab4..48694edb2a7 100644
--- a/api/v1alpha1/accesslogging_types.go
+++ b/api/v1alpha1/accesslogging_types.go
@@ -5,6 +5,8 @@
package v1alpha1
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
type ProxyAccessLog struct {
// Disable disables access logging for managed proxies if set to true.
Disable bool `json:"disable,omitempty"`
@@ -92,16 +94,26 @@ type FileEnvoyProxyAccessLog struct {
Path string `json:"path,omitempty"`
}
-// TODO: consider reuse ExtensionService?
+// OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
+//
+// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
type OpenTelemetryEnvoyProxyAccessLog struct {
// Host define the extension service hostname.
+ // Deprecated: Use BackendRef instead.
Host string `json:"host"`
// Port defines the port the extension service is exposed on.
+ // Deprecated: Use BackendRef instead.
//
// +optional
// +kubebuilder:validation:Minimum=0
// +kubebuilder:default=4317
Port int32 `json:"port,omitempty"`
+ // BackendRef references a Kubernetes object that represents the
+ // backend server to which the accesslog will be sent.
+ // Only service Kind is supported for now.
+ //
+ // +optional
+ BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
// Resources is a set of labels that describe the source of a log entry, including envoy node info.
// It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
// +optional
diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
index 58412c73723..619bbeb50f3 100644
--- a/api/v1alpha1/clienttrafficpolicy_types.go
+++ b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -99,8 +99,30 @@ type HeaderSettings struct {
// and responses.
// +optional
EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
+
+ // WithUnderscoresAction configures the action to take when an HTTP header with underscores
+ // is encountered. The default action is to reject the request.
+ // +optional
+ WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
}
+// WithUnderscoresAction configures the action to take when an HTTP header with underscores
+// is encountered.
+// +kubebuilder:validation:Enum=Allow;RejectRequest;DropHeader
+type WithUnderscoresAction string
+
+const (
+ // WithUnderscoresActionAllow allows headers with underscores to be passed through.
+ WithUnderscoresActionAllow WithUnderscoresAction = "Allow"
+ // WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
+ // the 400 status. HTTP/2 requests end with the stream reset.
+ WithUnderscoresActionRejectRequest WithUnderscoresAction = "RejectRequest"
+ // WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
+ // is dropped before the filter chain is invoked and as such filters will not see
+ // dropped headers.
+ WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
+)
+
// ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
//
// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"
diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go
index 424b179b218..999cfcc4144 100644
--- a/api/v1alpha1/connection_types.go
+++ b/api/v1alpha1/connection_types.go
@@ -5,7 +5,10 @@
package v1alpha1
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+import (
+ "k8s.io/apimachinery/pkg/api/resource"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
// Connection allows users to configure connection-level settings
type Connection struct {
@@ -13,6 +16,14 @@ type Connection struct {
//
// +optional
ConnectionLimit *ConnectionLimit `json:"connectionLimit,omitempty"`
+ // BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+ // For example, 20Mi, 1Gi, 256Ki etc.
+ // Note that when the suffix is not provided, the value is interpreted as bytes.
+ // Default: 32768 bytes.
+ //
+ // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\""
+ // +optional
+ BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
}
type ConnectionLimit struct {
diff --git a/api/v1alpha1/envoyextensionypolicy_types.go b/api/v1alpha1/envoyextensionypolicy_types.go
index 4b14955be42..f4bb6aa9d56 100644
--- a/api/v1alpha1/envoyextensionypolicy_types.go
+++ b/api/v1alpha1/envoyextensionypolicy_types.go
@@ -46,15 +46,16 @@ type EnvoyExtensionPolicySpec struct {
// TargetRef
TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"`
- // Priority of the EnvoyExtensionPolicy.
- // If multiple EnvoyExtensionPolices are applied to the same
- // TargetRef, extensions will execute in the ascending order of
- // the priority i.e. int32.min has the highest priority and
- // int32.max has the lowest priority.
- // Defaults to 0.
+ // WASM is a list of Wasm extensions to be loaded by the Gateway.
+ // Order matters, as the extensions will be loaded in the order they are
+ // defined in this list.
//
// +optional
- Priority int32 `json:"priority,omitempty"`
+ WASM []Wasm `json:"wasm,omitempty"`
+
+ // ExtProc is an ordered list of external processing filters
+ // that should added to the envoy filter chain
+ ExtProc []ExtProc `json:"extProc,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go
index 09077991c87..5f36282f5b5 100644
--- a/api/v1alpha1/envoygateway_helpers.go
+++ b/api/v1alpha1/envoygateway_helpers.go
@@ -9,6 +9,8 @@ import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/utils/ptr"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
)
// DefaultEnvoyGateway returns a new EnvoyGateway with default configuration parameters.
@@ -39,6 +41,14 @@ func (e *EnvoyGateway) SetEnvoyGatewayDefaults() {
if e.Provider == nil {
e.Provider = DefaultEnvoyGatewayProvider()
}
+ if e.Provider.Kubernetes == nil {
+ e.Provider.Kubernetes = &EnvoyGatewayKubernetesProvider{
+ LeaderElection: DefaultLeaderElection(),
+ }
+ }
+ if e.Provider.Kubernetes.LeaderElection == nil {
+ e.Provider.Kubernetes.LeaderElection = DefaultLeaderElection()
+ }
if e.Gateway == nil {
e.Gateway = DefaultGateway()
}
@@ -85,6 +95,16 @@ func (e *EnvoyGateway) NamespaceMode() bool {
len(e.Provider.Kubernetes.Watch.Namespaces) > 0
}
+// DefaultLeaderElection returns a new LeaderElection with default configuration parameters.
+func DefaultLeaderElection() *LeaderElection {
+ return &LeaderElection{
+ RenewDeadline: ptr.To(gwapiv1.Duration("10s")),
+ RetryPeriod: ptr.To(gwapiv1.Duration("2s")),
+ LeaseDuration: ptr.To(gwapiv1.Duration("15s")),
+ Disable: ptr.To(false),
+ }
+}
+
// DefaultGateway returns a new Gateway with default configuration parameters.
func DefaultGateway() *Gateway {
return &Gateway{
@@ -148,6 +168,9 @@ func DefaultEnvoyGatewayPrometheus() *EnvoyGatewayPrometheusProvider {
func DefaultEnvoyGatewayProvider() *EnvoyGatewayProvider {
return &EnvoyGatewayProvider{
Type: ProviderTypeKubernetes,
+ Kubernetes: &EnvoyGatewayKubernetesProvider{
+ LeaderElection: DefaultLeaderElection(),
+ },
}
}
@@ -195,9 +218,16 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
if r.Kubernetes == nil {
r.Kubernetes = DefaultEnvoyGatewayKubeProvider()
+ if r.Kubernetes.LeaderElection == nil {
+ r.Kubernetes.LeaderElection = DefaultLeaderElection()
+ }
return r.Kubernetes
}
+ if r.Kubernetes.LeaderElection == nil {
+ r.Kubernetes.LeaderElection = DefaultLeaderElection()
+ }
+
if r.Kubernetes.RateLimitDeployment == nil {
r.Kubernetes.RateLimitDeployment = DefaultKubernetesDeployment(DefaultRateLimitImage)
}
diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
index 777b6c50950..47b9861e170 100644
--- a/api/v1alpha1/envoygateway_types.go
+++ b/api/v1alpha1/envoygateway_types.go
@@ -90,6 +90,21 @@ type EnvoyGatewaySpec struct {
ExtensionAPIs *ExtensionAPISettings `json:"extensionApis,omitempty"`
}
+// LeaderElection defines the desired leader election settings.
+type LeaderElection struct {
+ // LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
+ // It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds.
+ LeaseDuration *gwapiv1.Duration `json:"leaseDuration,omitempty"`
+ // RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
+ // status before relinquishing its position. The default setting is 10 seconds.
+ RenewDeadline *gwapiv1.Duration `json:"renewDeadline,omitempty"`
+ // RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
+ // The default setting is 2 seconds.
+ RetryPeriod *gwapiv1.Duration `json:"retryPeriod,omitempty"`
+ // Disable provides the option to turn off leader election, which is enabled by default.
+ Disable *bool `json:"disable,omitempty"`
+}
+
// EnvoyGatewayTelemetry defines telemetry configurations for envoy gateway control plane.
// Control plane will focus on metrics observability telemetry and tracing telemetry later.
type EnvoyGatewayTelemetry struct {
@@ -151,10 +166,6 @@ type ExtensionAPISettings struct {
// EnableEnvoyPatchPolicy enables Envoy Gateway to
// reconcile and implement the EnvoyPatchPolicy resources.
EnableEnvoyPatchPolicy bool `json:"enableEnvoyPatchPolicy"`
-
- // EnableEnvoyExtensionPolicy enables Envoy Gateway to
- // reconcile and implement the EnvoyExtensionPolicy resources.
- EnableEnvoyExtensionPolicy bool `json:"enableEnvoyExtensionPolicy"`
}
// EnvoyGatewayProvider defines the desired configuration of a provider.
@@ -198,6 +209,10 @@ type EnvoyGatewayKubernetesProvider struct {
// OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set.
// +optional
OverwriteControlPlaneCerts *bool `json:"overwriteControlPlaneCerts,omitempty"`
+ // LeaderElection specifies the configuration for leader election.
+ // If it's not set up, leader election will be active by default, using Kubernetes' standard settings.
+ // +optional
+ LeaderElection *LeaderElection `json:"leaderElection,omitempty"`
}
const (
diff --git a/api/v1alpha1/envoyproxy_metric_types.go b/api/v1alpha1/envoyproxy_metric_types.go
index 71fb42ca62b..4c45df39e36 100644
--- a/api/v1alpha1/envoyproxy_metric_types.go
+++ b/api/v1alpha1/envoyproxy_metric_types.go
@@ -5,6 +5,8 @@
package v1alpha1
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
type MetricSinkType string
const (
@@ -47,16 +49,27 @@ type ProxyMetricSink struct {
OpenTelemetry *ProxyOpenTelemetrySink `json:"openTelemetry,omitempty"`
}
+// ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink.
+//
+// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
type ProxyOpenTelemetrySink struct {
// Host define the service hostname.
+ // Deprecated: Use BackendRef instead.
Host string `json:"host"`
// Port defines the port the service is exposed on.
+ // Deprecated: Use BackendRef instead.
//
// +optional
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:default=4317
Port int32 `json:"port,omitempty"`
+ // BackendRef references a Kubernetes object that represents the
+ // backend server to which the metric will be sent.
+ // Only service Kind is supported for now.
+ //
+ // +optional
+ BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"`
// TODO: add support for customizing OpenTelemetry sink in https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto#envoy-v3-api-msg-extensions-stat-sinks-open-telemetry-v3-sinkconfig
}
diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go
new file mode 100644
index 00000000000..c94682198b4
--- /dev/null
+++ b/api/v1alpha1/ext_proc_types.go
@@ -0,0 +1,29 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.group) || self.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.kind) || self.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
+//
+// ExtProc defines the configuration for External Processing filter.
+type ExtProc struct {
+ // Service defines the configuration of the external processing service
+ BackendRef ExtProcBackendRef `json:"backendRef"`
+}
+
+// ExtProcService defines the gRPC External Processing service using the envoy grpc client
+// The processing request and response messages are defined in
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ext_proc/v3/external_processor.proto
+type ExtProcBackendRef struct {
+ // BackendObjectReference references a Kubernetes object that represents the
+ // backend server to which the processing requests will be sent.
+ // Only service Kind is supported for now.
+ gwapiv1.BackendObjectReference `json:",inline"`
+}
diff --git a/api/v1alpha1/timeout_types.go b/api/v1alpha1/timeout_types.go
index 78289c968fa..ccf50724305 100644
--- a/api/v1alpha1/timeout_types.go
+++ b/api/v1alpha1/timeout_types.go
@@ -50,9 +50,15 @@ type ClientTimeout struct {
}
type HTTPClientTimeout struct {
- // The duration envoy waits for the complete request reception. This timer starts upon request
+ // RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
// initiation and stops when either the last byte of the request is sent upstream or when the response begins.
//
// +optional
RequestReceivedTimeout *gwapiv1.Duration `json:"requestReceivedTimeout,omitempty"`
+
+ // IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ // Default: 1 hour.
+ //
+ // +optional
+ IdleTimeout *gwapiv1.Duration `json:"idleTimeout,omitempty"`
}
diff --git a/api/v1alpha1/tracing_types.go b/api/v1alpha1/tracing_types.go
index 63529df54f2..7c86ba7c846 100644
--- a/api/v1alpha1/tracing_types.go
+++ b/api/v1alpha1/tracing_types.go
@@ -5,6 +5,8 @@
package v1alpha1
+import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
type ProxyTracing struct {
// SamplingRate controls the rate at which traffic will be
// selected for tracing if no prior sampling decision has been made.
@@ -28,6 +30,9 @@ const (
TracingProviderTypeOpenTelemetry TracingProviderType = "OpenTelemetry"
)
+// TracingProvider defines the tracing provider configuration.
+//
+// +kubebuilder:validation:XValidation:message="BackendRef only support Service Kind.",rule="!has(self.backendRef) || !has(self.backendRef.kind) || self.backendRef.kind == 'Service'"
type TracingProvider struct {
// Type defines the tracing provider type.
// EG currently only supports OpenTelemetry.
@@ -35,13 +40,21 @@ type TracingProvider struct {
// +kubebuilder:default=OpenTelemetry
Type TracingProviderType `json:"type"`
// Host define the provider service hostname.
+ // Deprecated: Use BackendRef instead.
Host string `json:"host"`
// Port defines the port the provider service is exposed on.
+ // Deprecated: Use BackendRef instead.
//
// +optional
// +kubebuilder:validation:Minimum=0
// +kubebuilder:default=4317
Port int32 `json:"port,omitempty"`
+ // BackendRef references a Kubernetes object that represents the
+ // backend server to which the accesslog will be sent.
+ // Only service Kind is supported for now.
+ //
+ // +optional
+ BackendRef *gwapiv1.BackendObjectReference `json:"backendRef"`
}
type CustomTagType string
diff --git a/api/v1alpha1/validation/envoygateway_validate_test.go b/api/v1alpha1/validation/envoygateway_validate_test.go
index 612353ba88f..6978a52e35f 100644
--- a/api/v1alpha1/validation/envoygateway_validate_test.go
+++ b/api/v1alpha1/validation/envoygateway_validate_test.go
@@ -646,7 +646,7 @@ func TestEnvoyGatewayProvider(t *testing.T) {
assert.NotNil(t, envoyGateway.Provider)
envoyGatewayProvider := envoyGateway.GetEnvoyGatewayProvider()
- assert.Nil(t, envoyGatewayProvider.Kubernetes)
+ assert.NotNil(t, envoyGatewayProvider.Kubernetes)
assert.Equal(t, envoyGateway.Provider, envoyGatewayProvider)
envoyGatewayProvider.Kubernetes = v1alpha1.DefaultEnvoyGatewayKubeProvider()
diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
new file mode 100644
index 00000000000..f918f92c9e0
--- /dev/null
+++ b/api/v1alpha1/wasm_types.go
@@ -0,0 +1,127 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+ apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+ gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+// Wasm defines a wasm extension.
+//
+// Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
+// v8 is used as the VM runtime for the Wasm extensions.
+type Wasm struct {
+ // Name is a unique name for this Wasm extension. It is used to identify the
+ // Wasm extension if multiple extensions are handled by the same vm_id and root_id.
+ // It's also used for logging/debugging.
+ Name string `json:"name"`
+
+ // VMID is an ID that will be used along with a hash of the wasm code to
+ // determine which VM will be used to load the Wasm extension. All extensions
+ // that have the same vm_id and code will use the same VM.
+ //
+ // Note that sharing a VM between plugins can reduce memory utilization and
+ // make sharing of data easier, but it may have security implications.
+ // VMID *string `json:"vmID,omitempty"`
+
+ // RootID is a unique ID for a set of extensions in a VM which will share a
+ // RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
+ // If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
+ // RootID *string `json:"rootID,omitempty"`
+
+ // Code is the wasm code for the extension.
+ Code WasmCodeSource `json:"code"`
+
+ // Config is the configuration for the Wasm extension.
+ // This configuration will be passed as a JSON string to the Wasm extension.
+ Config *apiextensionsv1.JSON `json:"config"`
+
+ // FailOpen is a switch used to control the behavior when a fatal error occurs
+ // during the initialization or the execution of the Wasm extension.
+ // If FailOpen is set to true, the system bypasses the Wasm extension and
+ // allows the traffic to pass through. Otherwise, if it is set to false or
+ // not set (defaulting to false), the system blocks the traffic and returns
+ // an HTTP 5xx error.
+ //
+ // +optional
+ // +kubebuilder:default=false
+ FailOpen *bool `json:"failOpen,omitempty"`
+
+ // Priority defines the location of the Wasm extension in the HTTP filter chain.
+ // If not specified, the Wasm extension will be inserted before the router filter.
+ // Priority *uint32 `json:"priority,omitempty"`
+}
+
+// WasmCodeSource defines the source of the wasm code.
+type WasmCodeSource struct {
+ // Type is the type of the source of the wasm code.
+ // Valid WasmCodeSourceType values are "HTTP" or "Image".
+ //
+ // +kubebuilder:validation:Enum=HTTP;Image
+ // +unionDiscriminator
+ Type WasmCodeSourceType `json:"type"`
+
+ // HTTP is the HTTP URL containing the wasm code.
+ //
+ // Note that the HTTP server must be accessible from the Envoy proxy.
+ // +optional
+ HTTP *HTTPWasmCodeSource `json:"http,omitempty"`
+
+ // Image is the OCI image containing the wasm code.
+ //
+ // Note that the image must be accessible from the Envoy Gateway.
+ // +optional
+ Image *ImageWasmCodeSource `json:"image,omitempty"`
+
+ // SHA256 checksum that will be used to verify the wasm code.
+ // +optional
+ // SHA256 *string `json:"sha256,omitempty"`
+}
+
+// WasmCodeSourceType specifies the types of sources for the wasm code.
+// +kubebuilder:validation:Enum=Global;Local
+type WasmCodeSourceType string
+
+const (
+ // HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
+ HTTPWasmCodeSourceType WasmCodeSourceType = "HTTP"
+
+ // ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
+ ImageWasmCodeSourceType WasmCodeSourceType = "Image"
+)
+
+// HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
+type HTTPWasmCodeSource struct {
+ // URL is the URL containing the wasm code.
+ URL string `json:"url"`
+}
+
+// ImageWasmCodeSource defines the OCI image containing the wasm code.
+type ImageWasmCodeSource struct {
+ // URL is the URL of the OCI image.
+ URL string `json:"url"`
+
+ // PullSecretRef is a reference to the secret containing the credentials to pull the image.
+ PullSecretRef gwapiv1b1.SecretObjectReference `json:"pullSecret"`
+
+ // PullPolicy is the policy to use when pulling the image.
+ // If not specified, the default policy is IfNotPresent for images whose tag is not latest,
+ // and Always for images whose tag is latest.
+ // +optional
+ // PullPolicy *PullPolicy `json:"pullPolicy,omitempty"`
+}
+
+// PullPolicy defines the policy to use when pulling an OIC image.
+/* type PullPolicy string
+
+const (
+ // PullPolicyIfNotPresent will only pull the image if it does not already exist.
+ PullPolicyIfNotPresent PullPolicy = "IfNotPresent"
+
+ // PullPolicyAlways will always pull the image.
+ PullPolicyAlways PullPolicy = "Always"
+)*/
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index eb1266f7356..b4743371c10 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -581,6 +581,11 @@ func (in *Connection) DeepCopyInto(out *Connection) {
*out = new(ConnectionLimit)
(*in).DeepCopyInto(*out)
}
+ if in.BufferLimit != nil {
+ in, out := &in.BufferLimit, &out.BufferLimit
+ x := (*in).DeepCopy()
+ *out = &x
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connection.
@@ -761,6 +766,20 @@ func (in *EnvoyExtensionPolicyList) DeepCopyObject() runtime.Object {
func (in *EnvoyExtensionPolicySpec) DeepCopyInto(out *EnvoyExtensionPolicySpec) {
*out = *in
in.TargetRef.DeepCopyInto(&out.TargetRef)
+ if in.WASM != nil {
+ in, out := &in.WASM, &out.WASM
+ *out = make([]Wasm, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.ExtProc != nil {
+ in, out := &in.ExtProc, &out.ExtProc
+ *out = make([]ExtProc, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyExtensionPolicySpec.
@@ -928,6 +947,11 @@ func (in *EnvoyGatewayKubernetesProvider) DeepCopyInto(out *EnvoyGatewayKubernet
*out = new(bool)
**out = **in
}
+ if in.LeaderElection != nil {
+ in, out := &in.LeaderElection, &out.LeaderElection
+ *out = new(LeaderElection)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyGatewayKubernetesProvider.
@@ -1492,6 +1516,38 @@ func (in *ExtAuth) DeepCopy() *ExtAuth {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExtProc) DeepCopyInto(out *ExtProc) {
+ *out = *in
+ in.BackendRef.DeepCopyInto(&out.BackendRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProc.
+func (in *ExtProc) DeepCopy() *ExtProc {
+ if in == nil {
+ return nil
+ }
+ out := new(ExtProc)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExtProcBackendRef) DeepCopyInto(out *ExtProcBackendRef) {
+ *out = *in
+ in.BackendObjectReference.DeepCopyInto(&out.BackendObjectReference)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProcBackendRef.
+func (in *ExtProcBackendRef) DeepCopy() *ExtProcBackendRef {
+ if in == nil {
+ return nil
+ }
+ out := new(ExtProcBackendRef)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExtensionAPISettings) DeepCopyInto(out *ExtensionAPISettings) {
*out = *in
@@ -1874,6 +1930,11 @@ func (in *HTTPClientTimeout) DeepCopyInto(out *HTTPClientTimeout) {
*out = new(v1.Duration)
**out = **in
}
+ if in.IdleTimeout != nil {
+ in, out := &in.IdleTimeout, &out.IdleTimeout
+ *out = new(v1.Duration)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPClientTimeout.
@@ -1937,6 +1998,21 @@ func (in *HTTPTimeout) DeepCopy() *HTTPTimeout {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPWasmCodeSource) DeepCopyInto(out *HTTPWasmCodeSource) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPWasmCodeSource.
+func (in *HTTPWasmCodeSource) DeepCopy() *HTTPWasmCodeSource {
+ if in == nil {
+ return nil
+ }
+ out := new(HTTPWasmCodeSource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HeaderMatch) DeepCopyInto(out *HeaderMatch) {
*out = *in
@@ -1970,6 +2046,11 @@ func (in *HeaderSettings) DeepCopyInto(out *HeaderSettings) {
*out = new(bool)
**out = **in
}
+ if in.WithUnderscoresAction != nil {
+ in, out := &in.WithUnderscoresAction, &out.WithUnderscoresAction
+ *out = new(WithUnderscoresAction)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderSettings.
@@ -2007,6 +2088,22 @@ func (in *HealthCheck) DeepCopy() *HealthCheck {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageWasmCodeSource) DeepCopyInto(out *ImageWasmCodeSource) {
+ *out = *in
+ in.PullSecretRef.DeepCopyInto(&out.PullSecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageWasmCodeSource.
+func (in *ImageWasmCodeSource) DeepCopy() *ImageWasmCodeSource {
+ if in == nil {
+ return nil
+ }
+ out := new(ImageWasmCodeSource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JSONPatchOperation) DeepCopyInto(out *JSONPatchOperation) {
*out = *in
@@ -2455,6 +2552,41 @@ func (in *KubernetesWatchMode) DeepCopy() *KubernetesWatchMode {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LeaderElection) DeepCopyInto(out *LeaderElection) {
+ *out = *in
+ if in.LeaseDuration != nil {
+ in, out := &in.LeaseDuration, &out.LeaseDuration
+ *out = new(v1.Duration)
+ **out = **in
+ }
+ if in.RenewDeadline != nil {
+ in, out := &in.RenewDeadline, &out.RenewDeadline
+ *out = new(v1.Duration)
+ **out = **in
+ }
+ if in.RetryPeriod != nil {
+ in, out := &in.RetryPeriod, &out.RetryPeriod
+ *out = new(v1.Duration)
+ **out = **in
+ }
+ if in.Disable != nil {
+ in, out := &in.Disable, &out.Disable
+ *out = new(bool)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaderElection.
+func (in *LeaderElection) DeepCopy() *LeaderElection {
+ if in == nil {
+ return nil
+ }
+ out := new(LeaderElection)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LiteralCustomTag) DeepCopyInto(out *LiteralCustomTag) {
*out = *in
@@ -2582,6 +2714,11 @@ func (in *OIDCProvider) DeepCopy() *OIDCProvider {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OpenTelemetryEnvoyProxyAccessLog) DeepCopyInto(out *OpenTelemetryEnvoyProxyAccessLog) {
*out = *in
+ if in.BackendRef != nil {
+ in, out := &in.BackendRef, &out.BackendRef
+ *out = new(v1.BackendObjectReference)
+ (*in).DeepCopyInto(*out)
+ }
if in.Resources != nil {
in, out := &in.Resources, &out.Resources
*out = make(map[string]string, len(*in))
@@ -2846,7 +2983,7 @@ func (in *ProxyMetricSink) DeepCopyInto(out *ProxyMetricSink) {
if in.OpenTelemetry != nil {
in, out := &in.OpenTelemetry, &out.OpenTelemetry
*out = new(ProxyOpenTelemetrySink)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
}
@@ -2897,6 +3034,11 @@ func (in *ProxyMetrics) DeepCopy() *ProxyMetrics {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProxyOpenTelemetrySink) DeepCopyInto(out *ProxyOpenTelemetrySink) {
*out = *in
+ if in.BackendRef != nil {
+ in, out := &in.BackendRef, &out.BackendRef
+ *out = new(v1.BackendObjectReference)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyOpenTelemetrySink.
@@ -2984,7 +3126,7 @@ func (in *ProxyTracing) DeepCopyInto(out *ProxyTracing) {
(*out)[key] = *val.DeepCopy()
}
}
- out.Provider = in.Provider
+ in.Provider.DeepCopyInto(&out.Provider)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyTracing.
@@ -3678,6 +3820,11 @@ func (in *Timeout) DeepCopy() *Timeout {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TracingProvider) DeepCopyInto(out *TracingProvider) {
*out = *in
+ if in.BackendRef != nil {
+ in, out := &in.BackendRef, &out.BackendRef
+ *out = new(v1.BackendObjectReference)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TracingProvider.
@@ -3690,6 +3837,57 @@ func (in *TracingProvider) DeepCopy() *TracingProvider {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Wasm) DeepCopyInto(out *Wasm) {
+ *out = *in
+ in.Code.DeepCopyInto(&out.Code)
+ if in.Config != nil {
+ in, out := &in.Config, &out.Config
+ *out = new(apiextensionsv1.JSON)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.FailOpen != nil {
+ in, out := &in.FailOpen, &out.FailOpen
+ *out = new(bool)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm.
+func (in *Wasm) DeepCopy() *Wasm {
+ if in == nil {
+ return nil
+ }
+ out := new(Wasm)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WasmCodeSource) DeepCopyInto(out *WasmCodeSource) {
+ *out = *in
+ if in.HTTP != nil {
+ in, out := &in.HTTP, &out.HTTP
+ *out = new(HTTPWasmCodeSource)
+ **out = **in
+ }
+ if in.Image != nil {
+ in, out := &in.Image, &out.Image
+ *out = new(ImageWasmCodeSource)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WasmCodeSource.
+func (in *WasmCodeSource) DeepCopy() *WasmCodeSource {
+ if in == nil {
+ return nil
+ }
+ out := new(WasmCodeSource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *XDSTranslatorHooks) DeepCopyInto(out *XDSTranslatorHooks) {
*out = *in
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
index 678758accc9..4211ecafc03 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: backendtrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -28,18 +28,24 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
- description: BackendTrafficPolicy allows the user to configure the behavior
- of the connection between the Envoy Proxy listener and the backend service.
+ description: |-
+ BackendTrafficPolicy allows the user to configure the behavior of the connection
+ between the Envoy Proxy listener and the backend service.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -47,9 +53,9 @@ spec:
description: spec defines the desired state of BackendTrafficPolicy.
properties:
circuitBreaker:
- description: Circuit Breaker settings for the upstream connections
- and requests. If not set, circuit breakers will be enabled with
- the default thresholds
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
properties:
maxConnections:
default: 1024
@@ -88,9 +94,9 @@ spec:
minimum: 0
type: integer
maxRequestsPerConnection:
- description: 'The maximum number of requests that Envoy will make
- over a single connection to the referenced backend defined within
- a xRoute rule. Default: unlimited.'
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
format: int64
maximum: 4294967295
minimum: 0
@@ -99,7 +105,8 @@ spec:
compression:
description: The compression config for the http streams.
items:
- description: Compression defines the config of enabling compression.
+ description: |-
+ Compression defines the config of enabling compression.
This can help reduce the bandwidth at the expense of higher CPU.
properties:
gzip:
@@ -116,10 +123,9 @@ spec:
type: object
type: array
faultInjection:
- description: FaultInjection defines the fault injection policy to
- be applied. This configuration can be used to inject delays and
- abort requests to mimic failure scenarios such as service failures
- and overloads
+ description: |-
+ FaultInjection defines the fault injection policy to be applied. This configuration can be used to
+ inject delays and abort requests to mimic failure scenarios such as service failures and overloads
properties:
abort:
description: If specified, the request will be aborted if it meets
@@ -184,9 +190,9 @@ spec:
minimum: 1
type: integer
http:
- description: HTTP defines the configuration of http health
- checker. It's required while the health checker type is
- HTTP.
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
properties:
expectedResponse:
description: ExpectedResponse defines a list of HTTP expected
@@ -221,8 +227,9 @@ spec:
rule: 'self.type == ''Binary'' ? has(self.binary) :
!has(self.binary)'
expectedStatuses:
- description: ExpectedStatuses defines a list of HTTP response
- statuses considered healthy. Defaults to 200 only
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
items:
description: HTTPStatus defines the http status code.
exclusiveMaximum: true
@@ -231,8 +238,9 @@ spec:
type: integer
type: array
method:
- description: Method defines the HTTP method used for health
- checking. Defaults to GET
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
type: string
path:
description: Path defines the HTTP path that will be requested
@@ -250,7 +258,8 @@ spec:
format: duration
type: string
tcp:
- description: TCP defines the configuration of tcp health checker.
+ description: |-
+ TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP.
properties:
receive:
@@ -372,10 +381,9 @@ spec:
type: integer
consecutiveLocalOriginFailures:
default: 5
- description: ConsecutiveLocalOriginFailures sets the number
- of consecutive local origin failures triggering ejection.
- Parameter takes effect only when split_external_local_origin_errors
- is set to true.
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
interval:
@@ -398,12 +406,14 @@ spec:
type: object
type: object
loadBalancer:
- description: LoadBalancer policy to apply when routing traffic from
- the gateway to the backend endpoints
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints
properties:
consistentHash:
- description: ConsistentHash defines the configuration when the
- load balancer type is set to ConsistentHash
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
properties:
type:
description: ConsistentHashType defines the type of input
@@ -415,26 +425,29 @@ spec:
- type
type: object
slowStart:
- description: SlowStart defines the configuration related to the
- slow start load balancer policy. If set, during slow start window,
- traffic sent to the newly added hosts will gradually increase.
- Currently this is only supported for RoundRobin and LeastRequest
- load balancers
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
properties:
window:
- description: Window defines the duration of the warm up period
- for newly added host. During slow start window, traffic
- sent to the newly added hosts will gradually increase. Currently
- only supports linear growth of traffic. For additional details,
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
type: string
required:
- window
type: object
type:
- description: Type decides the type of Load Balancer policy. Valid
- LoadBalancerType values are "ConsistentHash", "LeastRequest",
- "Random", "RoundRobin",
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin",
enum:
- ConsistentHash
- LeastRequest
@@ -458,8 +471,11 @@ spec:
with the backend.
properties:
version:
- description: Version of ProxyProtol Valid ProxyProtocolVersion
- values are "V1" "V2"
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
enum:
- V1
- V2
@@ -468,55 +484,55 @@ spec:
- version
type: object
rateLimit:
- description: RateLimit allows the user to limit the number of incoming
- requests to a predefined value based on attributes within the traffic
- flow.
+ description: |-
+ RateLimit allows the user to limit the number of incoming requests
+ to a predefined value based on attributes within the traffic flow.
properties:
global:
description: Global defines global rate limit configuration.
properties:
rules:
- description: Rules are a list of RateLimit selectors and limits.
- Each rule and its associated limit is applied in a mutually
- exclusive way. If a request matches multiple rules, each
- of their associated limits get applied, so a single request
- might increase the rate limit counters for multiple rules
- if selected. The rate limit service will return a logical
- OR of the individual rate limit decisions of all matching
- rules. For example, if a request matches two rules, one
- rate limited and one not, the final decision will be to
- rate limit the request.
+ description: |-
+ Rules are a list of RateLimit selectors and limits. Each rule and its
+ associated limit is applied in a mutually exclusive way. If a request
+ matches multiple rules, each of their associated limits get applied, so a
+ single request might increase the rate limit counters for multiple rules
+ if selected. The rate limit service will return a logical OR of the individual
+ rate limit decisions of all matching rules. For example, if a request
+ matches two rules, one rate limited and one not, the final decision will be
+ to rate limit the request.
items:
- description: RateLimitRule defines the semantics for matching
- attributes from the incoming requests, and setting limits
- for them.
+ description: |-
+ RateLimitRule defines the semantics for matching attributes
+ from the incoming requests, and setting limits for them.
properties:
clientSelectors:
- description: "ClientSelectors holds the list of select
- conditions to select specific clients using attributes
- from the traffic flow. All individual select conditions
- must hold True for this rule and its limit to be applied.
- \n If no client selectors are specified, the rule
- applies to all traffic of the targeted Route. \n If
- the policy targets a Gateway, the rule applies to
- each Route of the Gateway. Please note that each Route
- has its own rate limit counters. For example, if a
- Gateway has two Routes, and the policy has a rule
- with limit 10rps, each Route will have its own 10rps
- limit."
+ description: |-
+ ClientSelectors holds the list of select conditions to select
+ specific clients using attributes from the traffic flow.
+ All individual select conditions must hold True for this rule
+ and its limit to be applied.
+
+
+ If no client selectors are specified, the rule applies to all traffic of
+ the targeted Route.
+
+
+ If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+ Please note that each Route has its own rate limit counters. For example,
+ if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+ each Route will have its own 10rps limit.
items:
- description: RateLimitSelectCondition specifies the
- attributes within the traffic flow that can be used
- to select a subset of clients to be ratelimited.
- All the individual conditions must hold True for
- the overall condition to hold True.
+ description: |-
+ RateLimitSelectCondition specifies the attributes within the traffic flow that can
+ be used to select a subset of clients to be ratelimited.
+ All the individual conditions must hold True for the overall condition to hold True.
properties:
headers:
- description: Headers is a list of request headers
- to match. Multiple header values are ANDed together,
- meaning, a request MUST match all the specified
- headers. At least one of headers or sourceCIDR
- condition must be specified.
+ description: |-
+ Headers is a list of request headers to match. Multiple header values are ANDed together,
+ meaning, a request MUST match all the specified headers.
+ At least one of headers or sourceCIDR condition must be specified.
items:
description: HeaderMatch defines the match attributes
within the HTTP Headers of the request.
@@ -536,12 +552,11 @@ spec:
- Distinct
type: string
value:
- description: Value within the HTTP header.
- Due to the case-insensitivity of header
- names, "foo" and "Foo" are considered
- equivalent. Do not set this field when
- Type="Distinct", implying matching on
- any/all unique values within the header.
+ description: |-
+ Value within the HTTP header. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
maxLength: 1024
type: string
required:
@@ -553,21 +568,18 @@ spec:
- name
x-kubernetes-list-type: map
sourceCIDR:
- description: SourceCIDR is the client IP Address
- range to match on. At least one of headers or
- sourceCIDR condition must be specified.
+ description: |-
+ SourceCIDR is the client IP Address range to match on.
+ At least one of headers or sourceCIDR condition must be specified.
properties:
type:
default: Exact
type: string
value:
- description: Value is the IP CIDR that represents
- the range of Source IP Addresses of the
- client. These could also be the intermediate
- addresses through which the request has
- flown through and is part of the `X-Forwarded-For`
- header. For example, `192.168.0.1/32`, `192.168.0.0/24`,
- `001:db8::/64`.
+ description: |-
+ Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+ These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
+ For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
maxLength: 256
minLength: 1
type: string
@@ -578,20 +590,20 @@ spec:
maxItems: 8
type: array
limit:
- description: Limit holds the rate limit values. This
- limit is applied for traffic flows when the selectors
- compute to True, causing the request to be counted
- towards the limit. The limit is enforced and the request
- is ratelimited, i.e. a response with 429 HTTP status
- code is sent back to the client when the selected
- requests have reached the limit.
+ description: |-
+ Limit holds the rate limit values.
+ This limit is applied for traffic flows when the selectors
+ compute to True, causing the request to be counted towards the limit.
+ The limit is enforced and the request is ratelimited, i.e. a response with
+ 429 HTTP status code is sent back to the client when
+ the selected requests have reached the limit.
properties:
requests:
type: integer
unit:
- description: RateLimitUnit specifies the intervals
- for setting rate limits. Valid RateLimitUnit values
- are "Second", "Minute", "Hour", and "Day".
+ description: |-
+ RateLimitUnit specifies the intervals for setting rate limits.
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
enum:
- Second
- Minute
@@ -614,42 +626,43 @@ spec:
description: Local defines local rate limit configuration.
properties:
rules:
- description: Rules are a list of RateLimit selectors and limits.
- If a request matches multiple rules, the strictest limit
- is applied. For example, if a request matches two rules,
- one with 10rps and one with 20rps, the final limit will
+ description: |-
+ Rules are a list of RateLimit selectors and limits. If a request matches
+ multiple rules, the strictest limit is applied. For example, if a request
+ matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps.
items:
- description: RateLimitRule defines the semantics for matching
- attributes from the incoming requests, and setting limits
- for them.
+ description: |-
+ RateLimitRule defines the semantics for matching attributes
+ from the incoming requests, and setting limits for them.
properties:
clientSelectors:
- description: "ClientSelectors holds the list of select
- conditions to select specific clients using attributes
- from the traffic flow. All individual select conditions
- must hold True for this rule and its limit to be applied.
- \n If no client selectors are specified, the rule
- applies to all traffic of the targeted Route. \n If
- the policy targets a Gateway, the rule applies to
- each Route of the Gateway. Please note that each Route
- has its own rate limit counters. For example, if a
- Gateway has two Routes, and the policy has a rule
- with limit 10rps, each Route will have its own 10rps
- limit."
+ description: |-
+ ClientSelectors holds the list of select conditions to select
+ specific clients using attributes from the traffic flow.
+ All individual select conditions must hold True for this rule
+ and its limit to be applied.
+
+
+ If no client selectors are specified, the rule applies to all traffic of
+ the targeted Route.
+
+
+ If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+ Please note that each Route has its own rate limit counters. For example,
+ if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+ each Route will have its own 10rps limit.
items:
- description: RateLimitSelectCondition specifies the
- attributes within the traffic flow that can be used
- to select a subset of clients to be ratelimited.
- All the individual conditions must hold True for
- the overall condition to hold True.
+ description: |-
+ RateLimitSelectCondition specifies the attributes within the traffic flow that can
+ be used to select a subset of clients to be ratelimited.
+ All the individual conditions must hold True for the overall condition to hold True.
properties:
headers:
- description: Headers is a list of request headers
- to match. Multiple header values are ANDed together,
- meaning, a request MUST match all the specified
- headers. At least one of headers or sourceCIDR
- condition must be specified.
+ description: |-
+ Headers is a list of request headers to match. Multiple header values are ANDed together,
+ meaning, a request MUST match all the specified headers.
+ At least one of headers or sourceCIDR condition must be specified.
items:
description: HeaderMatch defines the match attributes
within the HTTP Headers of the request.
@@ -669,12 +682,11 @@ spec:
- Distinct
type: string
value:
- description: Value within the HTTP header.
- Due to the case-insensitivity of header
- names, "foo" and "Foo" are considered
- equivalent. Do not set this field when
- Type="Distinct", implying matching on
- any/all unique values within the header.
+ description: |-
+ Value within the HTTP header. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
maxLength: 1024
type: string
required:
@@ -686,21 +698,18 @@ spec:
- name
x-kubernetes-list-type: map
sourceCIDR:
- description: SourceCIDR is the client IP Address
- range to match on. At least one of headers or
- sourceCIDR condition must be specified.
+ description: |-
+ SourceCIDR is the client IP Address range to match on.
+ At least one of headers or sourceCIDR condition must be specified.
properties:
type:
default: Exact
type: string
value:
- description: Value is the IP CIDR that represents
- the range of Source IP Addresses of the
- client. These could also be the intermediate
- addresses through which the request has
- flown through and is part of the `X-Forwarded-For`
- header. For example, `192.168.0.1/32`, `192.168.0.0/24`,
- `001:db8::/64`.
+ description: |-
+ Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+ These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
+ For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
maxLength: 256
minLength: 1
type: string
@@ -711,20 +720,20 @@ spec:
maxItems: 8
type: array
limit:
- description: Limit holds the rate limit values. This
- limit is applied for traffic flows when the selectors
- compute to True, causing the request to be counted
- towards the limit. The limit is enforced and the request
- is ratelimited, i.e. a response with 429 HTTP status
- code is sent back to the client when the selected
- requests have reached the limit.
+ description: |-
+ Limit holds the rate limit values.
+ This limit is applied for traffic flows when the selectors
+ compute to True, causing the request to be counted towards the limit.
+ The limit is enforced and the request is ratelimited, i.e. a response with
+ 429 HTTP status code is sent back to the client when
+ the selected requests have reached the limit.
properties:
requests:
type: integer
unit:
- description: RateLimitUnit specifies the intervals
- for setting rate limits. Valid RateLimitUnit values
- are "Second", "Minute", "Hour", and "Day".
+ description: |-
+ RateLimitUnit specifies the intervals for setting rate limits.
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
enum:
- Second
- Minute
@@ -742,8 +751,9 @@ spec:
type: array
type: object
type:
- description: Type decides the scope for the RateLimits. Valid
- RateLimitType values are "Global" or "Local".
+ description: |-
+ Type decides the scope for the RateLimits.
+ Valid RateLimitType values are "Global" or "Local".
enum:
- Global
- Local
@@ -752,9 +762,9 @@ spec:
- type
type: object
retry:
- description: Retry provides more advanced usage, allowing users to
- customize the number of retries, retry fallback strategy, and retry
- triggering conditions. If not set, retry will be disabled.
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
properties:
numRetries:
default: 2
@@ -768,8 +778,8 @@ spec:
attempt.
properties:
backOff:
- description: Backoff is the backoff policy to be applied per
- retry attempt. gateway uses a fully jittered exponential
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
properties:
@@ -779,10 +789,9 @@ spec:
format: duration
type: string
maxInterval:
- description: MaxInterval is the maximum interval between
- retries. This parameter is optional, but must be greater
- than or equal to the base_interval if set. The default
- is 10 times the base_interval
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
format: duration
type: string
type: object
@@ -792,13 +801,16 @@ spec:
type: string
type: object
retryOn:
- description: "RetryOn specifies the retry trigger condition. \n
- If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503)."
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
properties:
httpStatusCodes:
- description: HttpStatusCodes specifies the http status codes
- to be retried. The retriable-status-codes trigger must also
- be configured for these status codes to trigger a retry.
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
items:
description: HTTPStatus defines the http status code.
exclusiveMaximum: true
@@ -829,10 +841,11 @@ spec:
type: object
type: object
targetRef:
- description: targetRef is the name of the resource this policy is
- being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway.
+ description: |-
+ targetRef is the name of the resource this policy
+ is being attached to.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway.
properties:
group:
description: Group is the group of the target resource.
@@ -851,23 +864,29 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, the local
+ namespace is inferred. Even when policy targets a resource in a different
+ namespace, it MUST only apply to traffic originating from the same
+ namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name
+ * Service: Port Name
+
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -886,23 +905,29 @@ spec:
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
tcpKeepalive:
- description: TcpKeepalive settings associated with the upstream client
- connection. Disabled by default.
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
properties:
idleTime:
- description: The duration a connection needs to be idle before
- keep-alive probes start being sent. The duration format is Defaults
- to `7200s`.
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
interval:
- description: The duration between keep-alive probes. Defaults
- to `75s`.
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
probes:
- description: The total number of unacknowledged probes to send
- before deciding the connection is dead. Defaults to 9.
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
format: int32
type: integer
type: object
@@ -913,14 +938,15 @@ spec:
description: Timeout settings for HTTP.
properties:
connectionIdleTimeout:
- description: 'The idle timeout for an HTTP connection. Idle
- time is defined as a period in which there are no active
- requests in the connection. Default: 1 hour.'
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxConnectionDuration:
- description: 'The maximum duration of an HTTP connection.
- Default: unlimited.'
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -928,8 +954,9 @@ spec:
description: Timeout settings for TCP.
properties:
connectTimeout:
- description: 'The timeout for network connection establishment,
- including TCP and TLS handshakes. Default: 10 seconds.'
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -941,169 +968,233 @@ spec:
description: status defines the current status of BackendTrafficPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, experimental, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+
+
+
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services as Parents
+ is part of experimental Mesh support and is not supported for any other
+ purpose.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -1116,46 +1207,45 @@ spec:
respect to the given Ancestor.
items:
description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
+ the current state of this API Resource.\n---\nThis struct
is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -1169,12 +1259,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1192,16 +1282,23 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index 028774b4374..1bcbce9a1d0 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: clienttrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -28,18 +28,24 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
- description: ClientTrafficPolicy allows the user to configure the behavior
- of the connection between the downstream client and Envoy Proxy listener.
+ description: |-
+ ClientTrafficPolicy allows the user to configure the behavior of the connection
+ between the downstream client and Envoy Proxy listener.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -51,16 +57,16 @@ spec:
determining the original client IP address for requests.
properties:
customHeader:
- description: CustomHeader provides configuration for determining
- the client IP address for a request based on a trusted custom
- HTTP header. This uses the the custom_header original IP detection
- extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+ description: |-
+ CustomHeader provides configuration for determining the client IP address for a request based on
+ a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+ Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details.
properties:
failClosed:
- description: FailClosed is a switch used to control the flow
- of traffic when client IP detection fails. If set to true,
- the listener will respond with 403 Forbidden when the client
+ description: |-
+ FailClosed is a switch used to control the flow of traffic when client IP detection
+ fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined.
type: boolean
name:
@@ -79,9 +85,9 @@ spec:
address.
properties:
numTrustedHops:
- description: NumTrustedHops controls the number of additional
- ingress proxy hops from the right side of XFF HTTP headers
- to trust when determining the origin client's IP address.
+ description: |-
+ NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
+ headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details.
format: int32
@@ -94,37 +100,65 @@ spec:
connection:
description: Connection includes client connection settings.
properties:
+ bufferLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ Default: 32768 bytes.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: bufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$"
+ rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$")
+ : type(self) == int'
connectionLimit:
description: ConnectionLimit defines limits related to connections
properties:
closeDelay:
- description: 'CloseDelay defines the delay to use before closing
- connections that are rejected once the limit value is reached.
- Default: none.'
+ description: |-
+ CloseDelay defines the delay to use before closing connections that are rejected
+ once the limit value is reached.
+ Default: none.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
value:
- description: 'Value of the maximum concurrent connections
- limit. When the limit is reached, incoming connections will
- be closed after the CloseDelay duration. Default: unlimited.'
+ description: |-
+ Value of the maximum concurrent connections limit.
+ When the limit is reached, incoming connections will be closed after the CloseDelay duration.
+ Default: unlimited.
format: int64
minimum: 0
type: integer
type: object
type: object
enableProxyProtocol:
- description: EnableProxyProtocol interprets the ProxyProtocol header
- and adds the Client Address into the X-Forwarded-For header. Note
- Proxy Protocol must be present when this field is set, else the
- connection is closed.
+ description: |-
+ EnableProxyProtocol interprets the ProxyProtocol header and adds the
+ Client Address into the X-Forwarded-For header.
+ Note Proxy Protocol must be present when this field is set, else the connection
+ is closed.
type: boolean
headers:
description: HeaderSettings provides configuration for header management.
properties:
enableEnvoyHeaders:
- description: EnableEnvoyHeaders configures Envoy Proxy to add
- the "X-Envoy-" headers to requests and responses.
+ description: |-
+ EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
+ and responses.
type: boolean
+ withUnderscoresAction:
+ description: |-
+ WithUnderscoresAction configures the action to take when an HTTP header with underscores
+ is encountered. The default action is to reject the request.
+ enum:
+ - Allow
+ - RejectRequest
+ - DropHeader
+ type: string
type: object
http1:
description: HTTP1 provides HTTP/1 configuration on the listener.
@@ -138,17 +172,18 @@ spec:
requests.
properties:
useDefaultHost:
- description: UseDefaultHost defines if the HTTP/1.0 request
- is missing the Host header, then the hostname associated
- with the listener should be injected into the request. If
- this is not set and an HTTP/1.0 request arrives without
- a host, then it will be rejected.
+ description: |-
+ UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
+ then the hostname associated with the listener should be injected into the
+ request.
+ If this is not set and an HTTP/1.0 request arrives without a host, then
+ it will be rejected.
type: boolean
type: object
preserveHeaderCase:
- description: PreserveHeaderCase defines if Envoy should preserve
- the letter case of headers. By default, Envoy will lowercase
- all the headers.
+ description: |-
+ PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
+ By default, Envoy will lowercase all the headers.
type: boolean
type: object
http3:
@@ -159,15 +194,16 @@ spec:
can be normalized.
properties:
disableMergeSlashes:
- description: DisableMergeSlashes allows disabling the default
- configuration of merging adjacent slashes in the path. Note
- that slash merging is not part of the HTTP spec and is provided
- for convenience.
+ description: |-
+ DisableMergeSlashes allows disabling the default configuration of merging adjacent
+ slashes in the path.
+ Note that slash merging is not part of the HTTP spec and is provided for convenience.
type: boolean
escapedSlashesAction:
- description: EscapedSlashesAction determines how %2f, %2F, %5c,
- or %5C sequences in the path URI should be handled. The default
- is UnescapeAndRedirect.
+ description: |-
+ EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
+ should be handled.
+ The default is UnescapeAndRedirect.
enum:
- KeepUnchanged
- RejectRequest
@@ -176,10 +212,12 @@ spec:
type: string
type: object
targetRef:
- description: TargetRef is the name of the Gateway resource this policy
- is being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway. TargetRef
+ description: |-
+ TargetRef is the name of the Gateway resource this policy
+ is being attached to.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway.
+ TargetRef
properties:
group:
description: Group is the group of the target resource.
@@ -198,23 +236,29 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, the local
+ namespace is inferred. Even when policy targets a resource in a different
+ namespace, it MUST only apply to traffic originating from the same
+ namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name
+ * Service: Port Name
+
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -232,24 +276,30 @@ spec:
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
tcpKeepalive:
- description: TcpKeepalive settings associated with the downstream
- client connection. If defined, sets SO_KEEPALIVE on the listener
- socket to enable TCP Keepalives. Disabled by default.
+ description: |-
+ TcpKeepalive settings associated with the downstream client connection.
+ If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
+ Disabled by default.
properties:
idleTime:
- description: The duration a connection needs to be idle before
- keep-alive probes start being sent. The duration format is Defaults
- to `7200s`.
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
interval:
- description: The duration between keep-alive probes. Defaults
- to `75s`.
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
probes:
- description: The total number of unacknowledged probes to send
- before deciding the connection is dead. Defaults to 9.
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
format: int32
type: integer
type: object
@@ -259,11 +309,16 @@ spec:
http:
description: Timeout settings for HTTP.
properties:
+ idleTimeout:
+ description: |-
+ IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestReceivedTimeout:
- description: The duration envoy waits for the complete request
- reception. This timer starts upon request initiation and
- stops when either the last byte of the request is sent upstream
- or when the response begins.
+ description: |-
+ RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
+ initiation and stops when either the last byte of the request is sent upstream or when the response begins.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -273,9 +328,13 @@ spec:
the downstream client.
properties:
alpnProtocols:
- description: 'ALPNProtocols supplies the list of ALPN protocols
- that should be exposed by the listener. By default h2 and http/1.1
- are enabled. Supported values are: - http/1.0 - http/1.1 - h2'
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener. By default h2 and http/1.1 are enabled.
+ Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
items:
description: ALPNProtocol specifies the protocol to be negotiated
using ALPN
@@ -286,46 +345,61 @@ spec:
type: string
type: array
ciphers:
- description: 'Ciphers specifies the set of cipher suites supported
- when negotiating TLS 1.0 - 1.2. This setting has no effect for
- TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list
- is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
- - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
- In builds using BoringSSL FIPS the default cipher list is: -
- ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
- - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384'
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
items:
type: string
type: array
clientValidation:
- description: ClientValidation specifies the configuration to validate
- the client initiating the TLS connection to the Gateway listener.
+ description: |-
+ ClientValidation specifies the configuration to validate the client
+ initiating the TLS connection to the Gateway listener.
properties:
caCertificateRefs:
- description: "CACertificateRefs contains one or more references
- to Kubernetes objects that contain TLS certificates of the
- Certificate Authorities that can be used as a trust anchor
- to validate the certificates presented by the client. \n
- A single reference to a Kubernetes ConfigMap or a Kubernetes
- Secret, with the CA certificate in a key named `ca.crt`
- is currently supported. \n References to a resource in different
- namespace are invalid UNLESS there is a ReferenceGrant in
- the target namespace that allows the certificate to be attached."
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+
+ A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+ with the CA certificate in a key named `ca.crt` is currently supported.
+
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached.
items:
- description: "SecretObjectReference identifies an API object
- including its namespace, defaulting to Secret. \n The
- API object must be valid in the cluster; the Group and
- Kind must be registered in the cluster for this reference
- to be valid. \n References to objects with invalid Group
- and Kind are not valid, and must be rejected by the implementation,
- with appropriate Conditions set on the containing object."
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
properties:
group:
default: ""
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -343,13 +417,18 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is
- required in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -361,16 +440,20 @@ spec:
type: array
type: object
ecdhCurves:
- description: 'ECDHCurves specifies the set of supported ECDH curves.
- In non-FIPS Envoy Proxy builds the default curves are: - X25519
- - P-256 In builds using BoringSSL FIPS the default curve is:
- - P-256'
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
items:
type: string
type: array
maxVersion:
- description: Max specifies the maximal TLS protocol version to
- allow The default is TLS 1.3 if this is not specified.
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
enum:
- Auto
- "1.0"
@@ -379,8 +462,9 @@ spec:
- "1.3"
type: string
minVersion:
- description: Min specifies the minimal TLS protocol version to
- allow. The default is TLS 1.2 if this is not specified.
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
enum:
- Auto
- "1.0"
@@ -389,8 +473,9 @@ spec:
- "1.3"
type: string
signatureAlgorithms:
- description: SignatureAlgorithms specifies which signature algorithms
- the listener should support.
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
items:
type: string
type: array
@@ -412,169 +497,233 @@ spec:
description: Status defines the current status of ClientTrafficPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, experimental, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+
+
+
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services as Parents
+ is part of experimental Mesh support and is not supported for any other
+ purpose.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -587,46 +736,45 @@ spec:
respect to the given Ancestor.
items:
description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
+ the current state of this API Resource.\n---\nThis struct
is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -640,12 +788,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -663,16 +811,23 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
index 842dd9ce336..1207b989e8f 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: envoyextensionpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -30,32 +30,131 @@ spec:
extensibility options for the Gateway.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of EnvoyExtensionPolicy.
properties:
- priority:
- description: Priority of the EnvoyExtensionPolicy. If multiple EnvoyExtensionPolices
- are applied to the same TargetRef, extensions will execute in the
- ascending order of the priority i.e. int32.min has the highest priority
- and int32.max has the lowest priority. Defaults to 0.
- format: int32
- type: integer
+ extProc:
+ description: |-
+ ExtProc is an ordered list of external processing filters
+ that should added to the envoy filter chain
+ items:
+ description: ExtProc defines the configuration for External Processing
+ filter.
+ properties:
+ backendRef:
+ description: Service defines the configuration of the external
+ processing service
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: group is invalid, only the core API group (specified
+ by omitting the group field or setting it to an empty string)
+ is supported
+ rule: 'has(self.backendRef) ? (!has(self.backendRef.group) ||
+ self.backendRef.group == "") : true'
+ - message: kind is invalid, only Service (specified by omitting
+ the kind field or setting it to 'Service') is supported
+ rule: 'has(self.backendRef) ? (!has(self.backendRef.kind) || self.backendRef.kind
+ == ''Service'') : true'
+ type: array
targetRef:
- description: TargetRef is the name of the Gateway resource this policy
- is being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway. TargetRef
+ description: |-
+ TargetRef is the name of the Gateway resource this policy
+ is being attached to.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway.
+ TargetRef
properties:
group:
description: Group is the group of the target resource.
@@ -74,23 +173,29 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, the local
+ namespace is inferred. Even when policy targets a resource in a different
+ namespace, it MUST only apply to traffic originating from the same
+ namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name
+ * Service: Port Name
+
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -108,6 +213,136 @@ spec:
'TCPRoute', 'TLSRoute']
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
+ wasm:
+ description: |-
+ WASM is a list of Wasm extensions to be loaded by the Gateway.
+ Order matters, as the extensions will be loaded in the order they are
+ defined in this list.
+ items:
+ description: |-
+ Wasm defines a wasm extension.
+
+
+ Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
+ v8 is used as the VM runtime for the Wasm extensions.
+ properties:
+ code:
+ description: Code is the wasm code for the extension.
+ properties:
+ http:
+ description: |-
+ HTTP is the HTTP URL containing the wasm code.
+
+
+ Note that the HTTP server must be accessible from the Envoy proxy.
+ properties:
+ url:
+ description: URL is the URL containing the wasm code.
+ type: string
+ required:
+ - url
+ type: object
+ image:
+ description: |-
+ Image is the OCI image containing the wasm code.
+
+
+ Note that the image must be accessible from the Envoy Gateway.
+ properties:
+ pullSecret:
+ description: PullSecretRef is a reference to the secret
+ containing the credentials to pull the image.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the URL of the OCI image.
+ type: string
+ required:
+ - pullSecret
+ - url
+ type: object
+ type:
+ allOf:
+ - enum:
+ - Global
+ - Local
+ - enum:
+ - HTTP
+ - Image
+ description: |-
+ Type is the type of the source of the wasm code.
+ Valid WasmCodeSourceType values are "HTTP" or "Image".
+ type: string
+ required:
+ - type
+ type: object
+ config:
+ description: |-
+ Config is the configuration for the Wasm extension.
+ This configuration will be passed as a JSON string to the Wasm extension.
+ x-kubernetes-preserve-unknown-fields: true
+ failOpen:
+ default: false
+ description: |-
+ FailOpen is a switch used to control the behavior when a fatal error occurs
+ during the initialization or the execution of the Wasm extension.
+ If FailOpen is set to true, the system bypasses the Wasm extension and
+ allows the traffic to pass through. Otherwise, if it is set to false or
+ not set (defaulting to false), the system blocks the traffic and returns
+ an HTTP 5xx error.
+ type: boolean
+ name:
+ description: |-
+ Name is a unique name for this Wasm extension. It is used to identify the
+ Wasm extension if multiple extensions are handled by the same vm_id and root_id.
+ It's also used for logging/debugging.
+ type: string
+ required:
+ - code
+ - config
+ - name
+ type: object
+ type: array
required:
- targetRef
type: object
@@ -115,169 +350,233 @@ spec:
description: Status defines the current status of EnvoyExtensionPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, experimental, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+
+
+
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services as Parents
+ is part of experimental Mesh support and is not supported for any other
+ purpose.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -290,46 +589,45 @@ spec:
respect to the given Ancestor.
items:
description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
+ the current state of this API Resource.\n---\nThis struct
is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -343,12 +641,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -366,16 +664,23 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
index 5b523698d3c..9e20ec9c57e 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: envoypatchpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -28,18 +28,24 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
- description: EnvoyPatchPolicy allows the user to modify the generated Envoy
- xDS resources by Envoy Gateway using this patch API
+ description: |-
+ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS
+ resources by Envoy Gateway using this patch API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -49,8 +55,9 @@ spec:
jsonPatches:
description: JSONPatch defines the JSONPatch configuration.
items:
- description: EnvoyJSONPatchConfig defines the configuration for
- patching a Envoy xDS Resource using JSONPatch semantic
+ description: |-
+ EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource
+ using JSONPatch semantic
properties:
name:
description: Name is the name of the resource
@@ -59,10 +66,10 @@ spec:
description: Patch defines the JSON Patch Operation
properties:
from:
- description: From is the source location of the value to
- be copied or moved. Only valid for move or copy operations
- Refer to https://datatracker.ietf.org/doc/html/rfc6901
- for more details.
+ description: |-
+ From is the source location of the value to be copied or moved. Only valid
+ for move or copy operations
+ Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
type: string
op:
description: Op is the type of operation to perform
@@ -75,13 +82,14 @@ spec:
- test
type: string
path:
- description: Path is the location of the target document/field
- where the operation will be performed Refer to https://datatracker.ietf.org/doc/html/rfc6901
- for more details.
+ description: |-
+ Path is the location of the target document/field where the operation will be performed
+ Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
type: string
value:
- description: Value is the new value of the path location.
- The value is only used by the `add` and `replace` operations.
+ description: |-
+ Value is the new value of the path location. The value is only used by
+ the `add` and `replace` operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
@@ -103,18 +111,23 @@ spec:
type: object
type: array
priority:
- description: Priority of the EnvoyPatchPolicy. If multiple EnvoyPatchPolicies
- are applied to the same TargetRef, they will be applied in the ascending
- order of the priority i.e. int32.min has the highest priority and
- int32.max has the lowest priority. Defaults to 0.
+ description: |-
+ Priority of the EnvoyPatchPolicy.
+ If multiple EnvoyPatchPolicies are applied to the same
+ TargetRef, they will be applied in the ascending order of
+ the priority i.e. int32.min has the highest priority and
+ int32.max has the lowest priority.
+ Defaults to 0.
format: int32
type: integer
targetRef:
- description: TargetRef is the name of the Gateway API resource this
- policy is being attached to. By default attaching to Gateway is
- supported and when mergeGateways is enabled it should attach to
- GatewayClass. This Policy and the TargetRef MUST be in the same
- namespace for this Policy to have effect and be applied to the Gateway
+ description: |-
+ TargetRef is the name of the Gateway API resource this policy
+ is being attached to.
+ By default attaching to Gateway is supported and
+ when mergeGateways is enabled it should attach to GatewayClass.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway
TargetRef
properties:
group:
@@ -134,10 +147,11 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, the local
+ namespace is inferred. Even when policy targets a resource in a different
+ namespace, it MUST only apply to traffic originating from the same
+ namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -148,8 +162,9 @@ spec:
- name
type: object
type:
- description: Type decides the type of patch. Valid EnvoyPatchType
- values are "JSONPatch".
+ description: |-
+ Type decides the type of patch.
+ Valid EnvoyPatchType values are "JSONPatch".
enum:
- JSONPatch
type: string
@@ -161,169 +176,233 @@ spec:
description: Status defines the current status of EnvoyPatchPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, experimental, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+
+
+
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services as Parents
+ is part of experimental Mesh support and is not supported for any other
+ purpose.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -336,46 +415,45 @@ spec:
respect to the given Ancestor.
items:
description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
+ the current state of this API Resource.\n---\nThis struct
is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -389,12 +467,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -412,16 +490,23 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
index 8034ba3ffbd..d500d1cd83a 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: envoyproxies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -24,14 +24,19 @@ spec:
description: EnvoyProxy is the schema for the envoyproxies API.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -39,25 +44,23 @@ spec:
description: EnvoyProxySpec defines the desired state of EnvoyProxy.
properties:
bootstrap:
- description: Bootstrap defines the Envoy Bootstrap as a YAML string.
+ description: |-
+ Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
- to learn more about the syntax. If set, this is the Bootstrap configuration
- used for the managed Envoy Proxy fleet instead of the default Bootstrap
- configuration set by Envoy Gateway. Some fields within the Bootstrap
- that are required to communicate with the xDS Server (Envoy Gateway)
- and receive xDS resources from it are not configurable and will
- result in the `EnvoyProxy` resource being rejected. Backward compatibility
- across minor versions is not guaranteed. We strongly recommend using
- `egctl x translate` to generate a `EnvoyProxy` resource with the
- `Bootstrap` field set to the default Bootstrap configuration used.
- You can edit this configuration, and rerun `egctl x translate` to
- ensure there are no validation errors.
+ to learn more about the syntax.
+ If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
+ set by Envoy Gateway.
+ Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
+ from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
+ Backward compatibility across minor versions is not guaranteed.
+ We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
+ Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors.
properties:
type:
default: Replace
- description: Type is the type of the bootstrap configuration,
- it should be either Replace or Merge. If unspecified, it defaults
- to Replace.
+ description: |-
+ Type is the type of the bootstrap configuration, it should be either Replace or Merge.
+ If unspecified, it defaults to Replace.
enum:
- Merge
- Replace
@@ -69,15 +72,16 @@ spec:
- value
type: object
concurrency:
- description: Concurrency defines the number of worker threads to run.
- If unset, it defaults to the number of cpuset threads on the platform.
+ description: |-
+ Concurrency defines the number of worker threads to run. If unset, it defaults to
+ the number of cpuset threads on the platform.
format: int32
type: integer
extraArgs:
- description: 'ExtraArgs defines additional command line options that
- are provided to Envoy. More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
- Note: some command line options are used internally(e.g. --log-level)
- so they cannot be provided here.'
+ description: |-
+ ExtraArgs defines additional command line options that are provided to Envoy.
+ More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
+ Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here.
items:
type: string
type: array
@@ -99,36 +103,36 @@ spec:
type: string
default:
default: warn
- description: 'Level is a map of logging level per component, where
- the component is the key and the log level is the value. If
- unspecified, defaults to "default: warn".'
+ description: |-
+ Level is a map of logging level per component, where the component is the key
+ and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
mergeGateways:
- description: MergeGateways defines if Gateway resources should be
- merged onto the same Envoy Proxy Infrastructure. Setting this field
- to true would merge all Gateway Listeners under the parent Gateway
- Class. This means that the port, protocol and hostname tuple must
- be unique for every listener. If a duplicate listener is detected,
- the newer listener (based on timestamp) will be rejected and its
- status will be updated with a "Accepted=False" condition.
+ description: |-
+ MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
+ Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
+ This means that the port, protocol and hostname tuple must be unique for every listener.
+ If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition.
type: boolean
provider:
- description: Provider defines the desired resource provider and provider-specific
- configuration. If unspecified, the "Kubernetes" resource provider
- is used with default configuration parameters.
+ description: |-
+ Provider defines the desired resource provider and provider-specific configuration.
+ If unspecified, the "Kubernetes" resource provider is used with default configuration
+ parameters.
properties:
kubernetes:
- description: Kubernetes defines the desired state of the Kubernetes
- resource provider. Kubernetes provides infrastructure resources
- for running the data plane, e.g. Envoy proxy. If unspecified
- and type is "Kubernetes", default settings for managed Kubernetes
- resources are applied.
+ description: |-
+ Kubernetes defines the desired state of the Kubernetes resource provider.
+ Kubernetes provides infrastructure resources for running the data plane,
+ e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
+ for managed Kubernetes resources are applied.
properties:
envoyDeployment:
- description: EnvoyDeployment defines the desired state of
- the Envoy deployment resource. If unspecified, default settings
- for the managed Envoy deployment resource are applied.
+ description: |-
+ EnvoyDeployment defines the desired state of the Envoy deployment resource.
+ If unspecified, default settings for the managed Envoy deployment resource
+ are applied.
properties:
container:
description: Container defines the desired specification
@@ -146,18 +150,16 @@ spec:
Must be a C_IDENTIFIER.
type: string
value:
- description: 'Variable references $(VAR_NAME)
- are expanded using the previously defined
- environment variables in the container and
- any service environment variables. If a variable
- cannot be resolved, the reference in the input
- string will be unchanged. Double $$ are reduced
- to a single $, which allows for escaping the
- $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
- produce the string literal "$(VAR_NAME)".
- Escaped references will never be expanded,
- regardless of whether the variable exists
- or not. Defaults to "".'
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's
@@ -170,10 +172,10 @@ spec:
description: The key to select.
type: string
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap
@@ -184,11 +186,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
fieldRef:
- description: 'Selects a field of the pod:
- supports metadata.name, metadata.namespace,
- `metadata.labels['''']`, `metadata.annotations['''']`,
- spec.nodeName, spec.serviceAccountName,
- status.hostIP, status.podIP, status.podIPs.'
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema the
@@ -204,11 +204,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
- description: 'Selects a resource of the
- container: only resources limits and requests
- (limits.cpu, limits.memory, limits.ephemeral-storage,
- requests.cpu, requests.memory and requests.ephemeral-storage)
- are currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required
@@ -241,10 +239,10 @@ spec:
key.
type: string
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret
@@ -264,25 +262,30 @@ spec:
image to be used, instead of the default image.
type: string
resources:
- description: 'Resources required by this container.
- More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
properties:
claims:
- description: "Claims lists the names of resources,
- defined in spec.resourceClaims, that are used
- by this container. \n This is an alpha field
- and requires enabling the DynamicResourceAllocation
- feature gate. \n This field is immutable. It
- can only be set for containers."
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry
in PodSpec.ResourceClaims.
properties:
name:
- description: Name must match the name of
- one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes
- that resource available inside a container.
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
type: string
required:
- name
@@ -298,8 +301,9 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount
- of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
@@ -308,37 +312,34 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount
- of compute resources required. If Requests is
- omitted for a container, it defaults to Limits
- if that is explicitly specified, otherwise to
- an implementation-defined value. Requests cannot
- exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
securityContext:
- description: 'SecurityContext defines the security
- options the container should be run with. If set,
- the fields of SecurityContext override the equivalent
- fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
properties:
allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls
- whether a process can gain more privileges than
- its parent process. This bool directly controls
- if the no_new_privs flag will be set on the
- container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run
- as Privileged 2) has CAP_SYS_ADMIN Note that
- this field cannot be set when spec.os.name is
- windows.'
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
capabilities:
- description: The capabilities to add/drop when
- running containers. Defaults to the default
- set of capabilities granted by the container
- runtime. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
add:
description: Added capabilities
@@ -356,69 +357,60 @@ spec:
type: array
type: object
privileged:
- description: Run container in privileged mode.
- Processes in privileged containers are essentially
- equivalent to root on the host. Defaults to
- false. Note that this field cannot be set when
- spec.os.name is windows.
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
procMount:
- description: procMount denotes the type of proc
- mount to use for the containers. The default
- is DefaultProcMount which uses the container
- runtime defaults for readonly paths and masked
- paths. This requires the ProcMountType feature
- flag to be enabled. Note that this field cannot
- be set when spec.os.name is windows.
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default is DefaultProcMount which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
type: string
readOnlyRootFilesystem:
- description: Whether this container has a read-only
- root filesystem. Default is false. Note that
- this field cannot be set when spec.os.name is
- windows.
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
runAsGroup:
- description: The GID to run the entrypoint of
- the container process. Uses runtime default
- if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
- description: Indicates that the container must
- run as a non-root user. If true, the Kubelet
- will validate the image at runtime to ensure
- that it does not run as UID 0 (root) and fail
- to start the container if it does. If unset
- or false, no such validation will be performed.
- May also be set in PodSecurityContext. If set
- in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence.
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
- description: The UID to run the entrypoint of
- the container process. Defaults to user specified
- in image metadata if unspecified. May also be
- set in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that
- this field cannot be set when spec.os.name is
- windows.
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
- description: The SELinux context to be applied
- to the container. If unspecified, the container
- runtime will allocate a random SELinux context
- for each container. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label
@@ -438,115 +430,104 @@ spec:
type: string
type: object
seccompProfile:
- description: The seccomp options to use by this
- container. If seccomp options are provided at
- both the pod & container level, the container
- options override the pod options. Note that
- this field cannot be set when spec.os.name is
- windows.
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
- description: localhostProfile indicates a
- profile defined in a file on the node should
- be used. The profile must be preconfigured
- on the node to work. Must be a descending
- path, relative to the kubelet's configured
- seccomp profile location. Must be set if
- type is "Localhost". Must NOT be set for
- any other type.
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
- description: "type indicates which kind of
- seccomp profile will be applied. Valid options
- are: \n Localhost - a profile defined in
- a file on the node should be used. RuntimeDefault
- - the container runtime default profile
- should be used. Unconfined - no profile
- should be applied."
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
type: string
required:
- type
type: object
windowsOptions:
- description: The Windows specific settings applied
- to all containers. If unspecified, the options
- from the PodSecurityContext will be used. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is linux.
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
- description: GMSACredentialSpec is where the
- GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
- inlines the contents of the GMSA credential
- spec named by the GMSACredentialSpecName
- field.
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the
name of the GMSA credential spec to use.
type: string
hostProcess:
- description: HostProcess determines if a container
- should be run as a 'Host Process' container.
- All of a Pod's containers must have the
- same effective HostProcess value (it is
- not allowed to have a mix of HostProcess
- containers and non-HostProcess containers).
- In addition, if HostProcess is true then
- HostNetwork must also be set to true.
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
- description: The UserName in Windows to run
- the entrypoint of the container process.
- Defaults to the user specified in image
- metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
volumeMounts:
- description: VolumeMounts are volumes to mount into
- the container's filesystem. Cannot be updated.
+ description: |-
+ VolumeMounts are volumes to mount into the container's filesystem.
+ Cannot be updated.
items:
description: VolumeMount describes a mounting of
a Volume within a container.
properties:
mountPath:
- description: Path within the container at which
- the volume should be mounted. Must not contain
- ':'.
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
type: string
mountPropagation:
- description: mountPropagation determines how
- mounts are propagated from the host to container
- and the other way around. When not set, MountPropagationNone
- is used. This field is beta in 1.10.
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
- description: Mounted read-only if true, read-write
- otherwise (false or unspecified). Defaults
- to false.
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
type: boolean
subPath:
- description: Path within the volume from which
- the container's volume should be mounted.
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
type: string
subPathExpr:
- description: Expanded path within the volume
- from which the container's volume should be
- mounted. Behaves similarly to SubPath but
- environment variable references $(VAR_NAME)
- are expanded using the container's environment.
- Defaults to "" (volume's root). SubPathExpr
- and SubPath are mutually exclusive.
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
type: string
required:
- mountPath
@@ -555,46 +536,43 @@ spec:
type: array
type: object
initContainers:
- description: 'List of initialization containers belonging
- to the pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/'
+ description: |-
+ List of initialization containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
items:
description: A single application container that you
want to run within a pod.
properties:
args:
- description: 'Arguments to the entrypoint. The container
- image''s CMD is used if this is not provided.
- Variable references $(VAR_NAME) are expanded using
- the container''s environment. If a variable cannot
- be resolved, the reference in the input string
- will be unchanged. Double $$ are reduced to a
- single $, which allows for escaping the $(VAR_NAME)
- syntax: i.e. "$$(VAR_NAME)" will produce the string
- literal "$(VAR_NAME)". Escaped references will
- never be expanded, regardless of whether the variable
- exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
+ description: |-
+ Arguments to the entrypoint.
+ The container image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
items:
type: string
type: array
command:
- description: 'Entrypoint array. Not executed within
- a shell. The container image''s ENTRYPOINT is
- used if this is not provided. Variable references
- $(VAR_NAME) are expanded using the container''s
- environment. If a variable cannot be resolved,
- the reference in the input string will be unchanged.
- Double $$ are reduced to a single $, which allows
- for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)"
- will produce the string literal "$(VAR_NAME)".
- Escaped references will never be expanded, regardless
- of whether the variable exists or not. Cannot
- be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The container image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
items:
type: string
type: array
env:
- description: List of environment variables to set
- in the container. Cannot be updated.
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
items:
description: EnvVar represents an environment
variable present in a Container.
@@ -604,18 +582,16 @@ spec:
Must be a C_IDENTIFIER.
type: string
value:
- description: 'Variable references $(VAR_NAME)
- are expanded using the previously defined
- environment variables in the container and
- any service environment variables. If a
- variable cannot be resolved, the reference
- in the input string will be unchanged. Double
- $$ are reduced to a single $, which allows
- for escaping the $(VAR_NAME) syntax: i.e.
- "$$(VAR_NAME)" will produce the string literal
- "$(VAR_NAME)". Escaped references will never
- be expanded, regardless of whether the variable
- exists or not. Defaults to "".'
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's
@@ -628,10 +604,10 @@ spec:
description: The key to select.
type: string
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap
@@ -642,11 +618,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
fieldRef:
- description: 'Selects a field of the pod:
- supports metadata.name, metadata.namespace,
- `metadata.labels['''']`, `metadata.annotations['''']`,
- spec.nodeName, spec.serviceAccountName,
- status.hostIP, status.podIP, status.podIPs.'
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema
@@ -662,12 +636,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
- description: 'Selects a resource of the
- container: only resources limits and
- requests (limits.cpu, limits.memory,
- limits.ephemeral-storage, requests.cpu,
- requests.memory and requests.ephemeral-storage)
- are currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required
@@ -700,10 +671,10 @@ spec:
secret key.
type: string
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret
@@ -719,15 +690,13 @@ spec:
type: object
type: array
envFrom:
- description: List of sources to populate environment
- variables in the container. The keys defined within
- a source must be a C_IDENTIFIER. All invalid keys
- will be reported as an event when the container
- is starting. When a key exists in multiple sources,
- the value associated with the last source will
- take precedence. Values defined by an Env with
- a duplicate key will take precedence. Cannot be
- updated.
+ description: |-
+ List of sources to populate environment variables in the container.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
items:
description: EnvFromSource represents the source
of a set of ConfigMaps
@@ -736,10 +705,10 @@ spec:
description: The ConfigMap to select from
properties:
name:
- description: 'Name of the referent. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap
@@ -756,10 +725,10 @@ spec:
description: The Secret to select from
properties:
name:
- description: 'Name of the referent. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret
@@ -770,46 +739,43 @@ spec:
type: object
type: array
image:
- description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images
- This field is optional to allow higher level config
- management to default or override container images
- in workload controllers like Deployments and StatefulSets.'
+ description: |-
+ Container image name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
type: string
imagePullPolicy:
- description: 'Image pull policy. One of Always,
- Never, IfNotPresent. Defaults to Always if :latest
- tag is specified, or IfNotPresent otherwise. Cannot
- be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
type: string
lifecycle:
- description: Actions that the management system
- should take in response to container lifecycle
- events. Cannot be updated.
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
properties:
postStart:
- description: 'PostStart is called immediately
- after a container is created. If the handler
- fails, the container is terminated and restarted
- according to its restart policy. Other management
- of the container blocks until the hook completes.
- More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
description: Exec specifies the action to
take.
properties:
command:
- description: Command is the command
- line to execute inside the container,
- the working directory for the command is
- root ('/') in the container's filesystem.
- The command is simply exec'd, it is
- not run inside a shell, so traditional
- shell instructions ('|', etc) won't
- work. To use a shell, you need to
- explicitly call out to that shell.
- Exit status of 0 is treated as live/healthy
- and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
@@ -819,10 +785,9 @@ spec:
request to perform.
properties:
host:
- description: Host name to connect to,
- defaults to the pod IP. You probably
- want to set "Host" in httpHeaders
- instead.
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in
@@ -834,11 +799,9 @@ spec:
probes
properties:
name:
- description: The header field
- name. This will be canonicalized
- upon output, so case-variant
- names will be understood as
- the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field
@@ -857,14 +820,15 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
@@ -883,12 +847,10 @@ spec:
- seconds
type: object
tcpSocket:
- description: Deprecated. TCPSocket is NOT
- supported as a LifecycleHandler and kept
- for the backward compatibility. There
- are no validation of this field and lifecycle
- hooks will fail in runtime when tcp handler
- is specified.
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
properties:
host:
description: 'Optional: Host name to
@@ -898,47 +860,38 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
- description: 'PreStop is called immediately
- before a container is terminated due to an
- API request or management event such as liveness/startup
- probe failure, preemption, resource contention,
- etc. The handler is not called if the container
- crashes or exits. The Pod''s termination grace
- period countdown begins before the PreStop
- hook is executed. Regardless of the outcome
- of the handler, the container will eventually
- terminate within the Pod''s termination grace
- period (unless delayed by finalizers). Other
- management of the container blocks until the
- hook completes or until the termination grace
- period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
description: Exec specifies the action to
take.
properties:
command:
- description: Command is the command
- line to execute inside the container,
- the working directory for the command is
- root ('/') in the container's filesystem.
- The command is simply exec'd, it is
- not run inside a shell, so traditional
- shell instructions ('|', etc) won't
- work. To use a shell, you need to
- explicitly call out to that shell.
- Exit status of 0 is treated as live/healthy
- and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
@@ -948,10 +901,9 @@ spec:
request to perform.
properties:
host:
- description: Host name to connect to,
- defaults to the pod IP. You probably
- want to set "Host" in httpHeaders
- instead.
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in
@@ -963,11 +915,9 @@ spec:
probes
properties:
name:
- description: The header field
- name. This will be canonicalized
- upon output, so case-variant
- names will be understood as
- the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field
@@ -986,14 +936,15 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
@@ -1012,12 +963,10 @@ spec:
- seconds
type: object
tcpSocket:
- description: Deprecated. TCPSocket is NOT
- supported as a LifecycleHandler and kept
- for the backward compatibility. There
- are no validation of this field and lifecycle
- hooks will fail in runtime when tcp handler
- is specified.
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
properties:
host:
description: 'Optional: Host name to
@@ -1027,10 +976,10 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
@@ -1038,33 +987,30 @@ spec:
type: object
type: object
livenessProbe:
- description: 'Periodic probe of container liveness.
+ description: |-
+ Periodic probe of container liveness.
Container will be restarted if the probe fails.
- Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
description: Exec specifies the action to take.
properties:
command:
- description: Command is the command line
- to execute inside the container, the working
- directory for the command is root ('/')
- in the container's filesystem. The command
- is simply exec'd, it is not run inside
- a shell, so traditional shell instructions
- ('|', etc) won't work. To use a shell,
- you need to explicitly call out to that
- shell. Exit status of 0 is treated as
- live/healthy and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
- description: Minimum consecutive failures for
- the probe to be considered failed after having
- succeeded. Defaults to 3. Minimum value is
- 1.
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
format: int32
type: integer
grpc:
@@ -1077,11 +1023,12 @@ spec:
format: int32
type: integer
service:
- description: "Service is the name of the
- service to place in the gRPC HealthCheckRequest
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
- \n If this is not specified, the default
- behavior is defined by gRPC."
+
+
+ If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
@@ -1091,8 +1038,8 @@ spec:
to perform.
properties:
host:
- description: Host name to connect to, defaults
- to the pod IP. You probably want to set
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
"Host" in httpHeaders instead.
type: string
httpHeaders:
@@ -1103,10 +1050,9 @@ spec:
header to be used in HTTP probes
properties:
name:
- description: The header field name.
- This will be canonicalized upon
- output, so case-variant names will
- be understood as the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field value
@@ -1124,35 +1070,35 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
- description: 'Number of seconds after the container
- has started before liveness probes are initiated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
periodSeconds:
- description: How often (in seconds) to perform
- the probe. Default to 10 seconds. Minimum
- value is 1.
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
- description: Minimum consecutive successes for
- the probe to be considered successful after
- having failed. Defaults to 1. Must be 1 for
- liveness and startup. Minimum value is 1.
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
@@ -1167,63 +1113,59 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
terminationGracePeriodSeconds:
- description: Optional duration in seconds the
- pod needs to terminate gracefully upon probe
- failure. The grace period is the duration
- in seconds after the processes running in
- the pod are sent a termination signal and
- the time when the processes are forcibly halted
- with a kill signal. Set this value longer
- than the expected cleanup time for your process.
- If this value is nil, the pod's terminationGracePeriodSeconds
- will be used. Otherwise, this value overrides
- the value provided by the pod spec. Value
- must be non-negative integer. The value zero
- indicates stop immediately via the kill signal
- (no opportunity to shut down). This is a beta
- field and requires enabling ProbeTerminationGracePeriod
- feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
- is used if unset.
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
format: int64
type: integer
timeoutSeconds:
- description: 'Number of seconds after which
- the probe times out. Defaults to 1 second.
- Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
type: object
name:
- description: Name of the container specified as
- a DNS_LABEL. Each container in a pod must have
- a unique name (DNS_LABEL). Cannot be updated.
+ description: |-
+ Name of the container specified as a DNS_LABEL.
+ Each container in a pod must have a unique name (DNS_LABEL).
+ Cannot be updated.
type: string
ports:
- description: List of ports to expose from the container.
- Not specifying a port here DOES NOT prevent that
- port from being exposed. Any port which is listening
- on the default "0.0.0.0" address inside a container
- will be accessible from the network. Modifying
- this array with strategic merge patch may corrupt
- the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255.
+ description: |-
+ List of ports to expose from the container. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Modifying this array with strategic merge patch may corrupt the data.
+ For more information See https://github.com/kubernetes/kubernetes/issues/108255.
Cannot be updated.
items:
description: ContainerPort represents a network
port in a single container.
properties:
containerPort:
- description: Number of port to expose on the
- pod's IP address. This must be a valid port
- number, 0 < x < 65536.
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
@@ -1231,24 +1173,24 @@ spec:
port to.
type: string
hostPort:
- description: Number of port to expose on the
- host. If specified, this must be a valid
- port number, 0 < x < 65536. If HostNetwork
- is specified, this must match ContainerPort.
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
Most containers do not need this.
format: int32
type: integer
name:
- description: If specified, this must be an
- IANA_SVC_NAME and unique within the pod.
- Each named port in a pod must have a unique
- name. Name for the port that can be referred
- to by services.
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
type: string
protocol:
default: TCP
- description: Protocol for port. Must be UDP,
- TCP, or SCTP. Defaults to "TCP".
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
type: string
required:
- containerPort
@@ -1259,34 +1201,30 @@ spec:
- protocol
x-kubernetes-list-type: map
readinessProbe:
- description: 'Periodic probe of container service
- readiness. Container will be removed from service
- endpoints if the probe fails. Cannot be updated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Periodic probe of container service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
description: Exec specifies the action to take.
properties:
command:
- description: Command is the command line
- to execute inside the container, the working
- directory for the command is root ('/')
- in the container's filesystem. The command
- is simply exec'd, it is not run inside
- a shell, so traditional shell instructions
- ('|', etc) won't work. To use a shell,
- you need to explicitly call out to that
- shell. Exit status of 0 is treated as
- live/healthy and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
- description: Minimum consecutive failures for
- the probe to be considered failed after having
- succeeded. Defaults to 3. Minimum value is
- 1.
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
format: int32
type: integer
grpc:
@@ -1299,11 +1237,12 @@ spec:
format: int32
type: integer
service:
- description: "Service is the name of the
- service to place in the gRPC HealthCheckRequest
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
- \n If this is not specified, the default
- behavior is defined by gRPC."
+
+
+ If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
@@ -1313,8 +1252,8 @@ spec:
to perform.
properties:
host:
- description: Host name to connect to, defaults
- to the pod IP. You probably want to set
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
"Host" in httpHeaders instead.
type: string
httpHeaders:
@@ -1325,10 +1264,9 @@ spec:
header to be used in HTTP probes
properties:
name:
- description: The header field name.
- This will be canonicalized upon
- output, so case-variant names will
- be understood as the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field value
@@ -1346,35 +1284,35 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
- description: 'Number of seconds after the container
- has started before liveness probes are initiated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
periodSeconds:
- description: How often (in seconds) to perform
- the probe. Default to 10 seconds. Minimum
- value is 1.
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
- description: Minimum consecutive successes for
- the probe to be considered successful after
- having failed. Defaults to 1. Must be 1 for
- liveness and startup. Minimum value is 1.
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
@@ -1389,38 +1327,33 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
terminationGracePeriodSeconds:
- description: Optional duration in seconds the
- pod needs to terminate gracefully upon probe
- failure. The grace period is the duration
- in seconds after the processes running in
- the pod are sent a termination signal and
- the time when the processes are forcibly halted
- with a kill signal. Set this value longer
- than the expected cleanup time for your process.
- If this value is nil, the pod's terminationGracePeriodSeconds
- will be used. Otherwise, this value overrides
- the value provided by the pod spec. Value
- must be non-negative integer. The value zero
- indicates stop immediately via the kill signal
- (no opportunity to shut down). This is a beta
- field and requires enabling ProbeTerminationGracePeriod
- feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
- is used if unset.
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
format: int64
type: integer
timeoutSeconds:
- description: 'Number of seconds after which
- the probe times out. Defaults to 1 second.
- Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
type: object
@@ -1431,14 +1364,14 @@ spec:
resource resize policy for the container.
properties:
resourceName:
- description: 'Name of the resource to which
- this resource resize policy applies. Supported
- values: cpu, memory.'
+ description: |-
+ Name of the resource to which this resource resize policy applies.
+ Supported values: cpu, memory.
type: string
restartPolicy:
- description: Restart policy to apply when
- specified resource is resized. If not specified,
- it defaults to NotRequired.
+ description: |-
+ Restart policy to apply when specified resource is resized.
+ If not specified, it defaults to NotRequired.
type: string
required:
- resourceName
@@ -1447,26 +1380,31 @@ spec:
type: array
x-kubernetes-list-type: atomic
resources:
- description: 'Compute Resources required by this
- container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Compute Resources required by this container.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
properties:
claims:
- description: "Claims lists the names of resources,
- defined in spec.resourceClaims, that are used
- by this container. \n This is an alpha field
- and requires enabling the DynamicResourceAllocation
- feature gate. \n This field is immutable.
- It can only be set for containers."
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+
+ This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one
entry in PodSpec.ResourceClaims.
properties:
name:
- description: Name must match the name
- of one entry in pod.spec.resourceClaims
- of the Pod where this field is used.
- It makes that resource available inside
- a container.
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
type: string
required:
- name
@@ -1482,8 +1420,9 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount
- of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
@@ -1492,61 +1431,52 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum
- amount of compute resources required. If Requests
- is omitted for a container, it defaults to
- Limits if that is explicitly specified, otherwise
- to an implementation-defined value. Requests
- cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
restartPolicy:
- description: 'RestartPolicy defines the restart
- behavior of individual containers in a pod. This
- field may only be set for init containers, and
- the only allowed value is "Always". For non-init
- containers or when this field is not specified,
- the restart behavior is defined by the Pod''s
- restart policy and the container type. Setting
- the RestartPolicy as "Always" for the init container
- will have the following effect: this init container
- will be continually restarted on exit until all
- regular containers have terminated. Once all regular
- containers have completed, all init containers
- with restartPolicy "Always" will be shut down.
- This lifecycle differs from normal init containers
- and is often referred to as a "sidecar" container.
- Although this init container still starts in the
- init container sequence, it does not wait for
- the container to complete before proceeding to
- the next init container. Instead, the next init
- container starts immediately after this init container
- is started, or after any startupProbe has successfully
- completed.'
+ description: |-
+ RestartPolicy defines the restart behavior of individual containers in a pod.
+ This field may only be set for init containers, and the only allowed value is "Always".
+ For non-init containers or when this field is not specified,
+ the restart behavior is defined by the Pod's restart policy and the container type.
+ Setting the RestartPolicy as "Always" for the init container will have the following effect:
+ this init container will be continually restarted on
+ exit until all regular containers have terminated. Once all regular
+ containers have completed, all init containers with restartPolicy "Always"
+ will be shut down. This lifecycle differs from normal init containers and
+ is often referred to as a "sidecar" container. Although this init
+ container still starts in the init container sequence, it does not wait
+ for the container to complete before proceeding to the next init
+ container. Instead, the next init container starts immediately after this
+ init container is started, or after any startupProbe has successfully
+ completed.
type: string
securityContext:
- description: 'SecurityContext defines the security
- options the container should be run with. If set,
- the fields of SecurityContext override the equivalent
- fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
properties:
allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls
- whether a process can gain more privileges
- than its parent process. This bool directly
- controls if the no_new_privs flag will be
- set on the container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run
- as Privileged 2) has CAP_SYS_ADMIN Note that
- this field cannot be set when spec.os.name
- is windows.'
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
capabilities:
- description: The capabilities to add/drop when
- running containers. Defaults to the default
- set of capabilities granted by the container
- runtime. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
add:
description: Added capabilities
@@ -1564,69 +1494,60 @@ spec:
type: array
type: object
privileged:
- description: Run container in privileged mode.
- Processes in privileged containers are essentially
- equivalent to root on the host. Defaults to
- false. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
procMount:
- description: procMount denotes the type of proc
- mount to use for the containers. The default
- is DefaultProcMount which uses the container
- runtime defaults for readonly paths and masked
- paths. This requires the ProcMountType feature
- flag to be enabled. Note that this field cannot
- be set when spec.os.name is windows.
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default is DefaultProcMount which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
type: string
readOnlyRootFilesystem:
- description: Whether this container has a read-only
- root filesystem. Default is false. Note that
- this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
runAsGroup:
- description: The GID to run the entrypoint of
- the container process. Uses runtime default
- if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be
- set when spec.os.name is windows.
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
- description: Indicates that the container must
- run as a non-root user. If true, the Kubelet
- will validate the image at runtime to ensure
- that it does not run as UID 0 (root) and fail
- to start the container if it does. If unset
- or false, no such validation will be performed.
- May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence.
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
- description: The UID to run the entrypoint of
- the container process. Defaults to user specified
- in image metadata if unspecified. May also
- be set in PodSecurityContext. If set in both
- SecurityContext and PodSecurityContext, the
- value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
- description: The SELinux context to be applied
- to the container. If unspecified, the container
- runtime will allocate a random SELinux context
- for each container. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be
- set when spec.os.name is windows.
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label
@@ -1646,112 +1567,93 @@ spec:
type: string
type: object
seccompProfile:
- description: The seccomp options to use by this
- container. If seccomp options are provided
- at both the pod & container level, the container
- options override the pod options. Note that
- this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
- description: localhostProfile indicates
- a profile defined in a file on the node
- should be used. The profile must be preconfigured
- on the node to work. Must be a descending
- path, relative to the kubelet's configured
- seccomp profile location. Must be set
- if type is "Localhost". Must NOT be set
- for any other type.
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
- description: "type indicates which kind
- of seccomp profile will be applied. Valid
- options are: \n Localhost - a profile
- defined in a file on the node should be
- used. RuntimeDefault - the container runtime
- default profile should be used. Unconfined
- - no profile should be applied."
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
type: string
required:
- type
type: object
windowsOptions:
- description: The Windows specific settings applied
- to all containers. If unspecified, the options
- from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be
- set when spec.os.name is linux.
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
- description: GMSACredentialSpec is where
- the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
- inlines the contents of the GMSA credential
- spec named by the GMSACredentialSpecName
- field.
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the
name of the GMSA credential spec to use.
type: string
hostProcess:
- description: HostProcess determines if a
- container should be run as a 'Host Process'
- container. All of a Pod's containers must
- have the same effective HostProcess value
- (it is not allowed to have a mix of HostProcess
- containers and non-HostProcess containers).
- In addition, if HostProcess is true then
- HostNetwork must also be set to true.
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
- description: The UserName in Windows to
- run the entrypoint of the container process.
- Defaults to the user specified in image
- metadata if unspecified. May also be set
- in PodSecurityContext. If set in both
- SecurityContext and PodSecurityContext,
- the value specified in SecurityContext
- takes precedence.
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
startupProbe:
- description: 'StartupProbe indicates that the Pod
- has successfully initialized. If specified, no
- other probes are executed until this completes
- successfully. If this probe fails, the Pod will
- be restarted, just as if the livenessProbe failed.
- This can be used to provide different probe parameters
- at the beginning of a Pod''s lifecycle, when it
- might take a long time to load data or warm a
- cache, than during steady-state operation. This
- cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ StartupProbe indicates that the Pod has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
description: Exec specifies the action to take.
properties:
command:
- description: Command is the command line
- to execute inside the container, the working
- directory for the command is root ('/')
- in the container's filesystem. The command
- is simply exec'd, it is not run inside
- a shell, so traditional shell instructions
- ('|', etc) won't work. To use a shell,
- you need to explicitly call out to that
- shell. Exit status of 0 is treated as
- live/healthy and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
- description: Minimum consecutive failures for
- the probe to be considered failed after having
- succeeded. Defaults to 3. Minimum value is
- 1.
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
format: int32
type: integer
grpc:
@@ -1764,11 +1666,12 @@ spec:
format: int32
type: integer
service:
- description: "Service is the name of the
- service to place in the gRPC HealthCheckRequest
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
- \n If this is not specified, the default
- behavior is defined by gRPC."
+
+
+ If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
@@ -1778,8 +1681,8 @@ spec:
to perform.
properties:
host:
- description: Host name to connect to, defaults
- to the pod IP. You probably want to set
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
"Host" in httpHeaders instead.
type: string
httpHeaders:
@@ -1790,10 +1693,9 @@ spec:
header to be used in HTTP probes
properties:
name:
- description: The header field name.
- This will be canonicalized upon
- output, so case-variant names will
- be understood as the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field value
@@ -1811,35 +1713,35 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
- description: 'Number of seconds after the container
- has started before liveness probes are initiated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
periodSeconds:
- description: How often (in seconds) to perform
- the probe. Default to 10 seconds. Minimum
- value is 1.
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
- description: Minimum consecutive successes for
- the probe to be considered successful after
- having failed. Defaults to 1. Must be 1 for
- liveness and startup. Minimum value is 1.
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
@@ -1854,87 +1756,76 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
terminationGracePeriodSeconds:
- description: Optional duration in seconds the
- pod needs to terminate gracefully upon probe
- failure. The grace period is the duration
- in seconds after the processes running in
- the pod are sent a termination signal and
- the time when the processes are forcibly halted
- with a kill signal. Set this value longer
- than the expected cleanup time for your process.
- If this value is nil, the pod's terminationGracePeriodSeconds
- will be used. Otherwise, this value overrides
- the value provided by the pod spec. Value
- must be non-negative integer. The value zero
- indicates stop immediately via the kill signal
- (no opportunity to shut down). This is a beta
- field and requires enabling ProbeTerminationGracePeriod
- feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
- is used if unset.
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
format: int64
type: integer
timeoutSeconds:
- description: 'Number of seconds after which
- the probe times out. Defaults to 1 second.
- Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
type: object
stdin:
- description: Whether this container should allocate
- a buffer for stdin in the container runtime. If
- this is not set, reads from stdin in the container
- will always result in EOF. Default is false.
+ description: |-
+ Whether this container should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the container will always result in EOF.
+ Default is false.
type: boolean
stdinOnce:
- description: Whether the container runtime should
- close the stdin channel after it has been opened
- by a single attach. When stdin is true the stdin
- stream will remain open across multiple attach
- sessions. If stdinOnce is set to true, stdin is
- opened on container start, is empty until the
- first client attaches to stdin, and then remains
- open and accepts data until the client disconnects,
- at which time stdin is closed and remains closed
- until the container is restarted. If this flag
- is false, a container processes that reads from
- stdin will never receive an EOF. Default is false
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
type: boolean
terminationMessagePath:
- description: 'Optional: Path at which the file to
- which the container''s termination message will
- be written is mounted into the container''s filesystem.
- Message written is intended to be brief final
- status, such as an assertion failure message.
- Will be truncated by the node if greater than
- 4096 bytes. The total message length across all
- containers will be limited to 12kb. Defaults to
- /dev/termination-log. Cannot be updated.'
+ description: |-
+ Optional: Path at which the file to which the container's termination message
+ will be written is mounted into the container's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
type: string
terminationMessagePolicy:
- description: Indicate how the termination message
- should be populated. File will use the contents
- of terminationMessagePath to populate the container
- status message on both success and failure. FallbackToLogsOnError
- will use the last chunk of container log output
- if the termination message file is empty and the
- container exited with an error. The log output
- is limited to 2048 bytes or 80 lines, whichever
- is smaller. Defaults to File. Cannot be updated.
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the container status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of container log output if the termination
+ message file is empty and the container exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
type: string
tty:
- description: Whether this container should allocate
- a TTY for itself, also requires 'stdin' to be
- true. Default is false.
+ description: |-
+ Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
type: boolean
volumeDevices:
description: volumeDevices is the list of block
@@ -1958,46 +1849,45 @@ spec:
type: object
type: array
volumeMounts:
- description: Pod volumes to mount into the container's
- filesystem. Cannot be updated.
+ description: |-
+ Pod volumes to mount into the container's filesystem.
+ Cannot be updated.
items:
description: VolumeMount describes a mounting
of a Volume within a container.
properties:
mountPath:
- description: Path within the container at
- which the volume should be mounted. Must
+ description: |-
+ Path within the container at which the volume should be mounted. Must
not contain ':'.
type: string
mountPropagation:
- description: mountPropagation determines how
- mounts are propagated from the host to container
- and the other way around. When not set,
- MountPropagationNone is used. This field
- is beta in 1.10.
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
type: string
name:
description: This must match the Name of a
Volume.
type: string
readOnly:
- description: Mounted read-only if true, read-write
- otherwise (false or unspecified). Defaults
- to false.
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
type: boolean
subPath:
- description: Path within the volume from which
- the container's volume should be mounted.
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
type: string
subPathExpr:
- description: Expanded path within the volume
- from which the container's volume should
- be mounted. Behaves similarly to SubPath
- but environment variable references $(VAR_NAME)
- are expanded using the container's environment.
- Defaults to "" (volume's root). SubPathExpr
- and SubPath are mutually exclusive.
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
type: string
required:
- mountPath
@@ -2005,10 +1895,11 @@ spec:
type: object
type: array
workingDir:
- description: Container's working directory. If not
- specified, the container runtime's default will
- be used, which might be configured in the container
- image. Cannot be updated.
+ description: |-
+ Container's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
type: string
required:
- name
@@ -2019,9 +1910,11 @@ spec:
to deployment
properties:
type:
- description: "Type is the type of merge operation
- to perform \n By default, StrategicMerge is used
- as the patch type."
+ description: |-
+ Type is the type of merge operation to perform
+
+
+ By default, StrategicMerge is used as the patch type.
type: string
value:
description: Object contains the raw configuration
@@ -2042,27 +1935,20 @@ spec:
rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- affinity expressions specified by this field,
- but it may choose a node that violates one
- or more of the expressions. The node that
- is most preferred is the one with the greatest
- sum of weights, i.e. for each node that
- meets all of the scheduling requirements
- (resource request, requiredDuringScheduling
- affinity expressions, etc.), compute a sum
- by iterating through the elements of this
- field and adding "weight" to the sum if
- the node matches the corresponding matchExpressions;
- the node(s) with the highest sum are the
- most preferred.
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
items:
- description: An empty preferred scheduling
- term matches all objects with implicit
- weight 0 (i.e. it's a no-op). A null preferred
- scheduling term matches no objects (i.e.
- is also a no-op).
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated
@@ -2072,9 +1958,8 @@ spec:
description: A list of node selector
requirements by node's labels.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2083,27 +1968,17 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
@@ -2116,9 +1991,8 @@ spec:
description: A list of node selector
requirements by node's fields.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2127,27 +2001,17 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
@@ -2170,31 +2034,28 @@ spec:
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not met at scheduling
- time, the pod will not be scheduled onto
- the node. If the affinity requirements specified
- by this field cease to be met at some point
- during pod execution (e.g. due to an update),
- the system may or may not try to eventually
- evict the pod from its node.
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node
selector terms. The terms are ORed.
items:
- description: A null or empty node selector
- term matches no objects. The requirements
- of them are ANDed. The TopologySelectorTerm
- type implements a subset of the NodeSelectorTerm.
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector
requirements by node's labels.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2203,27 +2064,17 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
@@ -2236,9 +2087,8 @@ spec:
description: A list of node selector
requirements by node's fields.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2247,27 +2097,17 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
@@ -2290,21 +2130,16 @@ spec:
zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- affinity expressions specified by this field,
- but it may choose a node that violates one
- or more of the expressions. The node that
- is most preferred is the one with the greatest
- sum of weights, i.e. for each node that
- meets all of the scheduling requirements
- (resource request, requiredDuringScheduling
- affinity expressions, etc.), compute a sum
- by iterating through the elements of this
- field and adding "weight" to the sum if
- the node has pods which matches the corresponding
- podAffinityTerm; the node(s) with the highest
- sum are the most preferred.
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched
WeightedPodAffinityTerm fields are added
@@ -2316,10 +2151,9 @@ spec:
weight.
properties:
labelSelector:
- description: A label query over
- a set of resources, in this case
- pods. If it's null, this PodAffinityTerm
- matches with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions
@@ -2327,10 +2161,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2339,24 +2171,15 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2369,82 +2192,50 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a
- set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key in (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MatchLabelKeys
- and LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is
- a set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key notin (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over
- the set of namespaces that the
- term applies to. The term is applied
- to the union of the namespaces
- selected by this field and the
- ones listed in the namespaces
- field. null selector and null
- or empty namespaces list means
- "this pod's namespace". An empty
- selector ({}) matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions
@@ -2452,10 +2243,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2464,24 +2253,15 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2494,51 +2274,36 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies
- a static list of namespace names
- that the term applies to. The
- term is applied to the union of
- the namespaces listed in this
- field and the ones selected by
- namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
- description: This pod should be
- co-located (affinity) or not co-located
- (anti-affinity) with the pods
- matching the labelSelector in
- the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
- description: weight associated with
- matching the corresponding podAffinityTerm,
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
@@ -2548,45 +2313,36 @@ spec:
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not met at scheduling
- time, the pod will not be scheduled onto
- the node. If the affinity requirements specified
- by this field cease to be met at some point
- during pod execution (e.g. due to a pod
- label update), the system may or may not
- try to eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding to each
- podAffinityTerm are intersected, i.e. all
- terms must be satisfied.
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this pod
- should be co-located (affinity) or not
- co-located (anti-affinity) with, where
- co-located is defined as running on a
- node whose value of the label with key
- matches that of any node
- on which a pod of the set of pods is running
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set
- of resources, in this case pods. If
- it's null, this PodAffinityTerm matches
- with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -2594,23 +2350,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2622,87 +2371,59 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a set
- of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key in (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MatchLabelKeys and
- LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is a
- set of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key notin (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over the
- set of namespaces that the term applies
- to. The term is applied to the union
- of the namespaces selected by this
- field and the ones listed in the namespaces
- field. null selector and null or empty
- namespaces list means "this pod's
- namespace". An empty selector ({})
- matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -2710,23 +2431,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -2738,41 +2452,29 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies a
- static list of namespace names that
- the term applies to. The term is applied
- to the union of the namespaces listed
- in this field and the ones selected
- by namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
- description: This pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with the pods matching the labelSelector
- in the specified namespaces, where
- co-located is defined as running on
- a node whose value of the label with
- key topologyKey matches that of any
- node on which any of the selected
- pods is running. Empty topologyKey
- is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
@@ -2785,21 +2487,16 @@ spec:
node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- anti-affinity expressions specified by this
- field, but it may choose a node that violates
- one or more of the expressions. The node
- that is most preferred is the one with the
- greatest sum of weights, i.e. for each node
- that meets all of the scheduling requirements
- (resource request, requiredDuringScheduling
- anti-affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight" to the
- sum if the node has pods which matches the
- corresponding podAffinityTerm; the node(s)
- with the highest sum are the most preferred.
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched
WeightedPodAffinityTerm fields are added
@@ -2811,10 +2508,9 @@ spec:
weight.
properties:
labelSelector:
- description: A label query over
- a set of resources, in this case
- pods. If it's null, this PodAffinityTerm
- matches with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions
@@ -2822,10 +2518,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2834,24 +2528,15 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2864,82 +2549,50 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a
- set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key in (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MatchLabelKeys
- and LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is
- a set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key notin (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over
- the set of namespaces that the
- term applies to. The term is applied
- to the union of the namespaces
- selected by this field and the
- ones listed in the namespaces
- field. null selector and null
- or empty namespaces list means
- "this pod's namespace". An empty
- selector ({}) matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions
@@ -2947,10 +2600,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2959,24 +2610,15 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -2989,51 +2631,36 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies
- a static list of namespace names
- that the term applies to. The
- term is applied to the union of
- the namespaces listed in this
- field and the ones selected by
- namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
- description: This pod should be
- co-located (affinity) or not co-located
- (anti-affinity) with the pods
- matching the labelSelector in
- the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
- description: weight associated with
- matching the corresponding podAffinityTerm,
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
@@ -3043,45 +2670,36 @@ spec:
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements
- specified by this field are not met at scheduling
- time, the pod will not be scheduled onto
- the node. If the anti-affinity requirements
- specified by this field cease to be met
- at some point during pod execution (e.g.
- due to a pod label update), the system may
- or may not try to eventually evict the pod
- from its node. When there are multiple elements,
- the lists of nodes corresponding to each
- podAffinityTerm are intersected, i.e. all
- terms must be satisfied.
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this pod
- should be co-located (affinity) or not
- co-located (anti-affinity) with, where
- co-located is defined as running on a
- node whose value of the label with key
- matches that of any node
- on which a pod of the set of pods is running
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set
- of resources, in this case pods. If
- it's null, this PodAffinityTerm matches
- with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -3089,23 +2707,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3117,87 +2728,59 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a set
- of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key in (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MatchLabelKeys and
- LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is a
- set of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key notin (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+ Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+ This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over the
- set of namespaces that the term applies
- to. The term is applied to the union
- of the namespaces selected by this
- field and the ones listed in the namespaces
- field. null selector and null or empty
- namespaces list means "this pod's
- namespace". An empty selector ({})
- matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -3205,23 +2788,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3233,41 +2809,29 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies a
- static list of namespace names that
- the term applies to. The term is applied
- to the union of the namespaces listed
- in this field and the ones selected
- by namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
- description: This pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with the pods matching the labelSelector
- in the specified namespaces, where
- co-located is defined as running on
- a node whose value of the label with
- key topologyKey matches that of any
- node on which any of the selected
- pods is running. Empty topologyKey
- is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
@@ -3278,27 +2842,26 @@ spec:
annotations:
additionalProperties:
type: string
- description: Annotations are the annotations that
- should be appended to the pods. By default, no pod
- annotations are appended.
+ description: |-
+ Annotations are the annotations that should be appended to the pods.
+ By default, no pod annotations are appended.
type: object
imagePullSecrets:
- description: 'ImagePullSecrets is an optional list
- of references to secrets in the same namespace to
- use for pulling any of the images used by this PodSpec.
- If specified, these secrets will be passed to individual
- puller implementations for them to use. More info:
- https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
+ description: |-
+ ImagePullSecrets is an optional list of references to secrets
+ in the same namespace to use for pulling any of the images used by this PodSpec.
+ If specified, these secrets will be passed to individual puller implementations for them to use.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
items:
- description: LocalObjectReference contains enough
- information to let you locate the referenced object
- inside the same namespace.
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
properties:
name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3306,92 +2869,86 @@ spec:
labels:
additionalProperties:
type: string
- description: Labels are the additional labels that
- should be tagged to the pods. By default, no additional
- pod labels are tagged.
+ description: |-
+ Labels are the additional labels that should be tagged to the pods.
+ By default, no additional pod labels are tagged.
type: object
nodeSelector:
additionalProperties:
type: string
- description: 'NodeSelector is a selector which must
- be true for the pod to fit on a node. Selector which
- must match a node''s labels for the pod to be scheduled
- on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
type: object
securityContext:
- description: 'SecurityContext holds pod-level security
- attributes and common container settings. Optional:
- Defaults to empty. See type description for default
- values of each field.'
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
properties:
fsGroup:
- description: "A special supplemental group that
- applies to all containers in a pod. Some volume
- types allow the Kubelet to change the ownership
- of that volume to be owned by the pod: \n 1.
- The owning GID will be the FSGroup 2. The setgid
- bit is set (new files created in the volume
- will be owned by FSGroup) 3. The permission
- bits are OR'd with rw-rw---- \n If unset, the
- Kubelet will not modify the ownership and permissions
- of any volume. Note that this field cannot be
- set when spec.os.name is windows."
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
fsGroupChangePolicy:
- description: 'fsGroupChangePolicy defines behavior
- of changing ownership and permission of the
- volume before being exposed inside Pod. This
- field will only apply to volume types which
- support fsGroup based ownership(and permissions).
- It will have no effect on ephemeral volume types
- such as: secret, configmaps and emptydir. Valid
- values are "OnRootMismatch" and "Always". If
- not specified, "Always" is used. Note that this
- field cannot be set when spec.os.name is windows.'
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
type: string
runAsGroup:
- description: The GID to run the entrypoint of
- the container process. Uses runtime default
- if unset. May also be set in SecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence for that container. Note that this
- field cannot be set when spec.os.name is windows.
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
- description: Indicates that the container must
- run as a non-root user. If true, the Kubelet
- will validate the image at runtime to ensure
- that it does not run as UID 0 (root) and fail
- to start the container if it does. If unset
- or false, no such validation will be performed.
- May also be set in SecurityContext. If set
- in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence.
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
- description: The UID to run the entrypoint of
- the container process. Defaults to user specified
- in image metadata if unspecified. May also be
- set in SecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence for that
- container. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
- description: The SELinux context to be applied
- to all containers. If unspecified, the container
- runtime will allocate a random SELinux context
- for each container. May also be set in SecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence for that container. Note that this
- field cannot be set when spec.os.name is windows.
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label
@@ -3411,55 +2968,48 @@ spec:
type: string
type: object
seccompProfile:
- description: The seccomp options to use by the
- containers in this pod. Note that this field
- cannot be set when spec.os.name is windows.
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
- description: localhostProfile indicates a
- profile defined in a file on the node should
- be used. The profile must be preconfigured
- on the node to work. Must be a descending
- path, relative to the kubelet's configured
- seccomp profile location. Must be set if
- type is "Localhost". Must NOT be set for
- any other type.
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
- description: "type indicates which kind of
- seccomp profile will be applied. Valid options
- are: \n Localhost - a profile defined in
- a file on the node should be used. RuntimeDefault
- - the container runtime default profile
- should be used. Unconfined - no profile
- should be applied."
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
type: string
required:
- type
type: object
supplementalGroups:
- description: A list of groups applied to the first
- process run in each container, in addition to
- the container's primary GID, the fsGroup (if
- specified), and group memberships defined in
- the container image for the uid of the container
- process. If unspecified, no additional groups
- are added to any container. Note that group
- memberships defined in the container image for
- the uid of the container process are still effective,
+ description: |-
+ A list of groups applied to the first process run in each container, in addition
+ to the container's primary GID, the fsGroup (if specified), and group memberships
+ defined in the container image for the uid of the container process. If unspecified,
+ no additional groups are added to any container. Note that group memberships
+ defined in the container image for the uid of the container process are still effective,
even if they are not included in this list.
- Note that this field cannot be set when spec.os.name
- is windows.
+ Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
sysctls:
- description: Sysctls hold a list of namespaced
- sysctls used for the pod. Pods with unsupported
- sysctls (by the container runtime) might fail
- to launch. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
items:
description: Sysctl defines a kernel parameter
to be set
@@ -3476,107 +3026,90 @@ spec:
type: object
type: array
windowsOptions:
- description: The Windows specific settings applied
- to all containers. If unspecified, the options
- within a container's SecurityContext will be
- used. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is linux.
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
- description: GMSACredentialSpec is where the
- GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
- inlines the contents of the GMSA credential
- spec named by the GMSACredentialSpecName
- field.
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the
name of the GMSA credential spec to use.
type: string
hostProcess:
- description: HostProcess determines if a container
- should be run as a 'Host Process' container.
- All of a Pod's containers must have the
- same effective HostProcess value (it is
- not allowed to have a mix of HostProcess
- containers and non-HostProcess containers).
- In addition, if HostProcess is true then
- HostNetwork must also be set to true.
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
- description: The UserName in Windows to run
- the entrypoint of the container process.
- Defaults to the user specified in image
- metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
tolerations:
description: If specified, the pod's tolerations.
items:
- description: The pod this Toleration is attached
- to tolerates any taint that matches the triple
- using the matching operator
- .
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
properties:
effect:
- description: Effect indicates the taint effect
- to match. Empty means match all taint effects.
- When specified, allowed values are NoSchedule,
- PreferNoSchedule and NoExecute.
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
- description: Key is the taint key that the toleration
- applies to. Empty means match all taint keys.
- If the key is empty, operator must be Exists;
- this combination means to match all values
- and all keys.
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
- description: Operator represents a key's relationship
- to the value. Valid operators are Exists and
- Equal. Defaults to Equal. Exists is equivalent
- to wildcard for value, so that a pod can tolerate
- all taints of a particular category.
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
type: string
tolerationSeconds:
- description: TolerationSeconds represents the
- period of time the toleration (which must
- be of effect NoExecute, otherwise this field
- is ignored) tolerates the taint. By default,
- it is not set, which means tolerate the taint
- forever (do not evict). Zero and negative
- values will be treated as 0 (evict immediately)
- by the system.
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
- description: Value is the taint value the toleration
- matches to. If the operator is Exists, the
- value should be empty, otherwise just a regular
- string.
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
topologySpreadConstraints:
- description: TopologySpreadConstraints describes how
- a group of pods ought to spread across topology
- domains. Scheduler will schedule pods in a way which
- abides by the constraints. All topologySpreadConstraints
- are ANDed.
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
items:
description: TopologySpreadConstraint specifies
how to spread matching pods among the given topology.
properties:
labelSelector:
- description: LabelSelector is used to find matching
- pods. Pods that match this label selector
- are counted to determine the number of pods
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
in their corresponding topology domain.
properties:
matchExpressions:
@@ -3584,30 +3117,25 @@ spec:
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -3619,158 +3147,134 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: "MatchLabelKeys is a set of pod
- label keys to select the pods over which spreading
- will be calculated. The keys are used to lookup
- values from the incoming pod labels, those
- key-value labels are ANDed with labelSelector
- to select the group of existing pods over
- which spreading will be calculated for the
- incoming pod. The same key is forbidden to
- exist in both MatchLabelKeys and LabelSelector.
- MatchLabelKeys cannot be set when LabelSelector
- isn't set. Keys that don't exist in the incoming
- pod labels will be ignored. A null or empty
- list means only match against labelSelector.
- \n This is a beta field and requires the MatchLabelKeysInPodTopologySpread
- feature gate to be enabled (enabled by default)."
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
maxSkew:
- description: 'MaxSkew describes the degree to
- which pods may be unevenly distributed. When
- `whenUnsatisfiable=DoNotSchedule`, it is the
- maximum permitted difference between the number
- of matching pods in the target topology and
- the global minimum. The global minimum is
- the minimum number of matching pods in an
- eligible domain or zero if the number of eligible
- domains is less than MinDomains. For example,
- in a 3-zone cluster, MaxSkew is set to 1,
- and pods with the same labelSelector spread
- as 2/2/1: In this case, the global minimum
- is 1. | zone1 | zone2 | zone3 | | P P | P
- P | P | - if MaxSkew is 1, incoming pod
- can only be scheduled to zone3 to become 2/2/2;
- scheduling it onto zone1(zone2) would make
- the ActualSkew(3-1) on zone1(zone2) violate
- MaxSkew(1). - if MaxSkew is 2, incoming pod
- can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`,
- it is used to give higher precedence to topologies
- that satisfy it. It''s a required field. Default
- value is 1 and 0 is not allowed.'
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
format: int32
type: integer
minDomains:
- description: "MinDomains indicates a minimum
- number of eligible domains. When the number
- of eligible domains with matching topology
- keys is less than minDomains, Pod Topology
- Spread treats \"global minimum\" as 0, and
- then the calculation of Skew is performed.
- And when the number of eligible domains with
- matching topology keys equals or greater than
- minDomains, this value has no effect on scheduling.
- As a result, when the number of eligible domains
- is less than minDomains, scheduler won't schedule
- more than maxSkew Pods to those domains. If
- value is nil, the constraint behaves as if
- MinDomains is equal to 1. Valid values are
- integers greater than 0. When value is not
- nil, WhenUnsatisfiable must be DoNotSchedule.
- \n For example, in a 3-zone cluster, MaxSkew
- is set to 2, MinDomains is set to 5 and pods
- with the same labelSelector spread as 2/2/2:
- | zone1 | zone2 | zone3 | | P P | P P |
- \ P P | The number of domains is less than
- 5(MinDomains), so \"global minimum\" is treated
- as 0. In this situation, new pod with the
- same labelSelector cannot be scheduled, because
- computed skew will be 3(3 - 0) if new Pod
- is scheduled to any of the three zones, it
- will violate MaxSkew. \n This is a beta field
- and requires the MinDomainsInPodTopologySpread
- feature gate to be enabled (enabled by default)."
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+
+
+ This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
- description: "NodeAffinityPolicy indicates how
- we will treat Pod's nodeAffinity/nodeSelector
- when calculating pod topology spread skew.
- Options are: - Honor: only nodes matching
- nodeAffinity/nodeSelector are included in
- the calculations. - Ignore: nodeAffinity/nodeSelector
- are ignored. All nodes are included in the
- calculations. \n If this value is nil, the
- behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled
- by the NodeInclusionPolicyInPodTopologySpread
- feature flag."
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
- description: "NodeTaintsPolicy indicates how
- we will treat node taints when calculating
- pod topology spread skew. Options are: - Honor:
- nodes without taints, along with tainted nodes
- for which the incoming pod has a toleration,
- are included. - Ignore: node taints are ignored.
- All nodes are included. \n If this value is
- nil, the behavior is equivalent to the Ignore
- policy. This is a beta-level feature default
- enabled by the NodeInclusionPolicyInPodTopologySpread
- feature flag."
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
- description: TopologyKey is the key of node
- labels. Nodes that have a label with this
- key and identical values are considered to
- be in the same topology. We consider each
- as a "bucket", and try to put
- balanced number of pods into each bucket.
- We define a domain as a particular instance
- of a topology. Also, we define an eligible
- domain as a domain whose nodes meet the requirements
- of nodeAffinityPolicy and nodeTaintsPolicy.
- e.g. If TopologyKey is "kubernetes.io/hostname",
- each Node is a domain of that topology. And,
- if TopologyKey is "topology.kubernetes.io/zone",
- each zone is a domain of that topology. It's
- a required field.
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
type: string
whenUnsatisfiable:
- description: 'WhenUnsatisfiable indicates how
- to deal with a pod if it doesn''t satisfy
- the spread constraint. - DoNotSchedule (default)
- tells the scheduler not to schedule it. -
- ScheduleAnyway tells the scheduler to schedule
- the pod in any location, but giving higher
- precedence to topologies that would help reduce
- the skew. A constraint is considered "Unsatisfiable"
- for an incoming pod if and only if every possible
- node assignment for that pod would violate
- "MaxSkew" on some topology. For example, in
- a 3-zone cluster, MaxSkew is set to 1, and
- pods with the same labelSelector spread as
- 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P |
- If WhenUnsatisfiable is set to DoNotSchedule,
- incoming pod can only be scheduled to zone2(zone3)
- to become 3/2/1(3/1/2) as ActualSkew(2-1)
- on zone2(zone3) satisfies MaxSkew(1). In other
- words, the cluster can still be imbalanced,
- but scheduler won''t make it *more* imbalanced.
- It''s a required field.'
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
type: string
required:
- maxSkew
@@ -3779,49 +3283,45 @@ spec:
type: object
type: array
volumes:
- description: 'Volumes that can be mounted by containers
- belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes'
+ description: |-
+ Volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
items:
description: Volume represents a named volume in
a pod that may be accessed by any container in
the pod.
properties:
awsElasticBlockStore:
- description: 'awsElasticBlockStore represents
- an AWS Disk resource that is attached to a
- kubelet''s host machine and then exposed to
- the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
+ description: |-
+ awsElasticBlockStore represents an AWS Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
- description: 'fsType is the filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
+ TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
- description: 'partition is the partition
- in the volume that you want to mount.
- If omitted, the default is to mount by
- volume name. Examples: For volume /dev/sda1,
- you specify the partition as "1". Similarly,
- the volume partition for /dev/sda is "0"
- (or you can leave the property empty).'
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
format: int32
type: integer
readOnly:
- description: 'readOnly value true will force
- the readOnly setting in VolumeMounts.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
+ description: |-
+ readOnly value true will force the readOnly setting in VolumeMounts.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: boolean
volumeID:
- description: 'volumeID is unique ID of the
- persistent disk resource in AWS (Amazon
- EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
+ description: |-
+ volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: string
required:
- volumeID
@@ -3844,11 +3344,10 @@ spec:
disk in the blob storage
type: string
fsType:
- description: fsType is Filesystem type to
- mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is Filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
kind:
description: 'kind expected values are Shared:
@@ -3858,8 +3357,8 @@ spec:
availability set). defaults to shared'
type: string
readOnly:
- description: readOnly Defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
required:
@@ -3872,8 +3371,8 @@ spec:
the pod.
properties:
readOnly:
- description: readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretName:
@@ -3894,9 +3393,9 @@ spec:
on the host that shares a pod's lifetime
properties:
monitors:
- description: 'monitors is Required: Monitors
- is a collection of Ceph monitors More
- info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ monitors is Required: Monitors is a collection of Ceph monitors
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
items:
type: string
type: array
@@ -3906,73 +3405,72 @@ spec:
Ceph tree, default is /'
type: string
readOnly:
- description: 'readOnly is Optional: Defaults
- to false (read/write). ReadOnly here will
- force the ReadOnly setting in VolumeMounts.
- More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: boolean
secretFile:
- description: 'secretFile is Optional: SecretFile
- is the path to key ring for User, default
- is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
secretRef:
- description: 'secretRef is Optional: SecretRef
- is reference to the authentication secret
- for User, default is empty. More info:
- https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
- description: 'user is optional: User is
- the rados user name, default is admin
- More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ user is optional: User is the rados user name, default is admin
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
required:
- monitors
type: object
cinder:
- description: 'cinder represents a cinder volume
- attached and mounted on kubelets host machine.
- More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
+ description: |-
+ cinder represents a cinder volume attached and mounted on kubelets host machine.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
- description: 'fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Examples:
- "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified. More info:
- https://examples.k8s.io/mysql-cinder-pd/README.md'
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
readOnly:
- description: 'readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
- More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: boolean
secretRef:
- description: 'secretRef is optional: points
- to a secret object containing parameters
- used to connect to OpenStack.'
+ description: |-
+ secretRef is optional: points to a secret object containing parameters used to connect
+ to OpenStack.
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
volumeID:
- description: 'volumeID used to identify
- the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
+ description: |-
+ volumeID used to identify the volume in cinder.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
required:
- volumeID
@@ -3982,34 +3480,25 @@ spec:
that should populate this volume
properties:
defaultMode:
- description: 'defaultMode is optional: mode
- bits used to set permissions on created
- files by default. Must be an octal value
- between 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts both octal
- and decimal values, JSON requires decimal
- values for mode bits. Defaults to 0644.
- Directories within the path are not affected
- by this setting. This might be in conflict
- with other options that affect the file
- mode, like fsGroup, and the result can
- be other mode bits set.'
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
- description: items if unspecified, each
- key-value pair in the Data field of the
- referenced ConfigMap will be projected
- into the volume as a file whose name is
- the key and content is the value. If specified,
- the listed keys will be projected into
- the specified paths, and unlisted keys
- will not be present. If a key is specified
- which is not present in the ConfigMap,
- the volume setup will error unless it
- is marked optional. Paths must be relative
- and may not contain the '..' path or start
- with '..'.
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
@@ -4018,28 +3507,21 @@ spec:
description: key is the key to project.
type: string
mode:
- description: 'mode is Optional: mode
- bits used to set permissions on
- this file. Must be an octal value
- between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts
- both octal and decimal values, JSON
- requires decimal values for mode
- bits. If not specified, the volume
- defaultMode will be used. This might
- be in conflict with other options
- that affect the file mode, like
- fsGroup, and the result can be other
- mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the relative
- path of the file to map the key
- to. May not be an absolute path.
- May not contain the path element
- '..'. May not start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
@@ -4047,10 +3529,10 @@ spec:
type: object
type: array
name:
- description: 'Name of the referent. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the
@@ -4064,49 +3546,43 @@ spec:
by certain external CSI drivers (Beta feature).
properties:
driver:
- description: driver is the name of the CSI
- driver that handles this volume. Consult
- with your admin for the correct name as
- registered in the cluster.
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
type: string
fsType:
- description: fsType to mount. Ex. "ext4",
- "xfs", "ntfs". If not provided, the empty
- value is passed to the associated CSI
- driver which will determine the default
- filesystem to apply.
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
type: string
nodePublishSecretRef:
- description: nodePublishSecretRef is a reference
- to the secret object containing sensitive
- information to pass to the CSI driver
- to complete the CSI NodePublishVolume
- and NodeUnpublishVolume calls. This field
- is optional, and may be empty if no secret
- is required. If the secret object contains
- more than one secret, all secret references
- are passed.
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
readOnly:
- description: readOnly specifies a read-only
- configuration for the volume. Defaults
- to false (read/write).
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
type: boolean
volumeAttributes:
additionalProperties:
type: string
- description: volumeAttributes stores driver-specific
- properties that are passed to the CSI
- driver. Consult your driver's documentation
- for supported values.
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
type: object
required:
- driver
@@ -4117,20 +3593,15 @@ spec:
volume
properties:
defaultMode:
- description: 'Optional: mode bits to use
- on created files by default. Must be a
- Optional: mode bits used to set permissions
- on created files by default. Must be an
- octal value between 0000 and 0777 or a
- decimal value between 0 and 511. YAML
- accepts both octal and decimal values,
- JSON requires decimal values for mode
- bits. Defaults to 0644. Directories within
- the path are not affected by this setting.
- This might be in conflict with other options
- that affect the file mode, like fsGroup,
- and the result can be other mode bits
- set.'
+ description: |-
+ Optional: mode bits to use on created files by default. Must be a
+ Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
@@ -4161,19 +3632,13 @@ spec:
type: object
x-kubernetes-map-type: atomic
mode:
- description: 'Optional: mode bits
- used to set permissions on this
- file, must be an octal value between
- 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts
- both octal and decimal values, JSON
- requires decimal values for mode
- bits. If not specified, the volume
- defaultMode will be used. This might
- be in conflict with other options
- that affect the file mode, like
- fsGroup, and the result can be other
- mode bits set.'
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
@@ -4186,11 +3651,9 @@ spec:
with ''..'''
type: string
resourceFieldRef:
- description: 'Selects a resource of
- the container: only resources limits
- and requests (limits.cpu, limits.memory,
- requests.cpu and requests.memory)
- are currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container name:
@@ -4220,138 +3683,125 @@ spec:
type: array
type: object
emptyDir:
- description: 'emptyDir represents a temporary
- directory that shares a pod''s lifetime. More
- info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
+ description: |-
+ emptyDir represents a temporary directory that shares a pod's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
properties:
medium:
- description: 'medium represents what type
- of storage medium should back this directory.
- The default is "" which means to use the
- node''s default medium. Must be an empty
- string (default) or Memory. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
- description: 'sizeLimit is the total amount
- of local storage required for this EmptyDir
- volume. The size limit is also applicable
- for memory medium. The maximum usage on
- memory medium EmptyDir would be the minimum
- value between the SizeLimit specified
- here and the sum of memory limits of all
- containers in a pod. The default is nil
- which means that the limit is undefined.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
- description: "ephemeral represents a volume
- that is handled by a cluster storage driver.
- The volume's lifecycle is tied to the pod
- that defines it - it will be created before
- the pod starts, and deleted when the pod is
- removed. \n Use this if: a) the volume is
- only needed while the pod runs, b) features
- of normal volumes like restoring from snapshot
- or capacity tracking are needed, c) the storage
- driver is specified through a storage class,
- and d) the storage driver supports dynamic
- volume provisioning through a PersistentVolumeClaim
- (see EphemeralVolumeSource for more information
- on the connection between this volume type
- and PersistentVolumeClaim). \n Use PersistentVolumeClaim
- or one of the vendor-specific APIs for volumes
- that persist for longer than the lifecycle
- of an individual pod. \n Use CSI for light-weight
- local ephemeral volumes if the CSI driver
- is meant to be used that way - see the documentation
- of the driver for more information. \n A pod
- can use both types of ephemeral volumes and
- persistent volumes at the same time."
+ description: |-
+ ephemeral represents a volume that is handled by a cluster storage driver.
+ The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+ and deleted when the pod is removed.
+
+
+ Use this if:
+ a) the volume is only needed while the pod runs,
+ b) features of normal volumes like restoring from snapshot or capacity
+ tracking are needed,
+ c) the storage driver is specified through a storage class, and
+ d) the storage driver supports dynamic volume provisioning through
+ a PersistentVolumeClaim (see EphemeralVolumeSource for more
+ information on the connection between this volume type
+ and PersistentVolumeClaim).
+
+
+ Use PersistentVolumeClaim or one of the vendor-specific
+ APIs for volumes that persist for longer than the lifecycle
+ of an individual pod.
+
+
+ Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+ be used that way - see the documentation of the driver for
+ more information.
+
+
+ A pod can use both types of ephemeral volumes and
+ persistent volumes at the same time.
properties:
volumeClaimTemplate:
- description: "Will be used to create a stand-alone
- PVC to provision the volume. The pod in
- which this EphemeralVolumeSource is embedded
- will be the owner of the PVC, i.e. the
- PVC will be deleted together with the
- pod. The name of the PVC will be `-` where ``
- is the name from the `PodSpec.Volumes`
- array entry. Pod validation will reject
- the pod if the concatenated name is not
- valid for a PVC (for example, too long).
- \n An existing PVC with that name that
- is not owned by the pod will *not* be
- used for the pod to avoid using an unrelated
- volume by mistake. Starting the pod is
- then blocked until the unrelated PVC is
- removed. If such a pre-created PVC is
- meant to be used by the pod, the PVC has
- to updated with an owner reference to
- the pod once the pod exists. Normally
- this should not be necessary, but it may
- be useful when manually reconstructing
- a broken cluster. \n This field is read-only
- and no changes will be made by Kubernetes
+ description: |-
+ Will be used to create a stand-alone PVC to provision the volume.
+ The pod in which this EphemeralVolumeSource is embedded will be the
+ owner of the PVC, i.e. the PVC will be deleted together with the
+ pod. The name of the PVC will be `-` where
+ `` is the name from the `PodSpec.Volumes` array
+ entry. Pod validation will reject the pod if the concatenated name
+ is not valid for a PVC (for example, too long).
+
+
+ An existing PVC with that name that is not owned by the pod
+ will *not* be used for the pod to avoid using an unrelated
+ volume by mistake. Starting the pod is then blocked until
+ the unrelated PVC is removed. If such a pre-created PVC is
+ meant to be used by the pod, the PVC has to updated with an
+ owner reference to the pod once the pod exists. Normally
+ this should not be necessary, but it may be useful when
+ manually reconstructing a broken cluster.
+
+
+ This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
- \n Required, must not be nil."
+
+
+ Required, must not be nil.
properties:
metadata:
- description: May contain labels and
- annotations that will be copied into
- the PVC when creating it. No other
- fields are allowed and will be rejected
- during validation.
+ description: |-
+ May contain labels and annotations that will be copied into the PVC
+ when creating it. No other fields are allowed and will be rejected during
+ validation.
type: object
spec:
- description: The specification for the
- PersistentVolumeClaim. The entire
- content is copied unchanged into the
- PVC that gets created from this template.
- The same fields as in a PersistentVolumeClaim
+ description: |-
+ The specification for the PersistentVolumeClaim. The entire content is
+ copied unchanged into the PVC that gets created from this
+ template. The same fields as in a PersistentVolumeClaim
are also valid here.
properties:
accessModes:
- description: 'accessModes contains
- the desired access modes the volume
- should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
+ description: |-
+ accessModes contains the desired access modes the volume should have.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
items:
type: string
type: array
dataSource:
- description: 'dataSource field can
- be used to specify either: * An
- existing VolumeSnapshot object
- (snapshot.storage.k8s.io/VolumeSnapshot)
+ description: |-
+ dataSource field can be used to specify either:
+ * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim)
- If the provisioner or an external
- controller can support the specified
- data source, it will create a
- new volume based on the contents
- of the specified data source.
- When the AnyVolumeDataSource feature
- gate is enabled, dataSource contents
- will be copied to dataSourceRef,
- and dataSourceRef contents will
- be copied to dataSource when dataSourceRef.namespace
- is not specified. If the namespace
- is specified, then dataSourceRef
- will not be copied to dataSource.'
+ If the provisioner or an external controller can support the specified data source,
+ it will create a new volume based on the contents of the specified data source.
+ When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+ and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+ If the namespace is specified, then dataSourceRef will not be copied to dataSource.
properties:
apiGroup:
- description: APIGroup is the
- group for the resource being
- referenced. If APIGroup is
- not specified, the specified
- Kind must be in the core API
- group. For any other third-party
- types, APIGroup is required.
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type
@@ -4367,59 +3817,36 @@ spec:
type: object
x-kubernetes-map-type: atomic
dataSourceRef:
- description: 'dataSourceRef specifies
- the object from which to populate
- the volume with data, if a non-empty
- volume is desired. This may be
- any object from a non-empty API
- group (non core object) or a PersistentVolumeClaim
- object. When this field is specified,
- volume binding will only succeed
- if the type of the specified object
- matches some installed volume
- populator or dynamic provisioner.
- This field will replace the functionality
- of the dataSource field and as
- such if both fields are non-empty,
- they must have the same value.
- For backwards compatibility, when
- namespace isn''t specified in
- dataSourceRef, both fields (dataSource
- and dataSourceRef) will be set
- to the same value automatically
- if one of them is empty and the
- other is non-empty. When namespace
- is specified in dataSourceRef,
- dataSource isn''t set to the same
- value and must be empty. There
- are three important differences
- between dataSource and dataSourceRef:
- * While dataSource only allows
- two specific types of objects,
- dataSourceRef allows any non-core
- object, as well as PersistentVolumeClaim
- objects. * While dataSource ignores
- disallowed values (dropping them),
- dataSourceRef preserves all values,
- and generates an error if a disallowed
- value is specified. * While dataSource
- only allows local objects, dataSourceRef
- allows objects in any namespaces.
- (Beta) Using this field requires
- the AnyVolumeDataSource feature
- gate to be enabled. (Alpha) Using
- the namespace field of dataSourceRef
- requires the CrossNamespaceVolumeDataSource
- feature gate to be enabled.'
+ description: |-
+ dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+ volume is desired. This may be any object from a non-empty API group (non
+ core object) or a PersistentVolumeClaim object.
+ When this field is specified, volume binding will only succeed if the type of
+ the specified object matches some installed volume populator or dynamic
+ provisioner.
+ This field will replace the functionality of the dataSource field and as such
+ if both fields are non-empty, they must have the same value. For backwards
+ compatibility, when namespace isn't specified in dataSourceRef,
+ both fields (dataSource and dataSourceRef) will be set to the same
+ value automatically if one of them is empty and the other is non-empty.
+ When namespace is specified in dataSourceRef,
+ dataSource isn't set to the same value and must be empty.
+ There are three important differences between dataSource and dataSourceRef:
+ * While dataSource only allows two specific types of objects, dataSourceRef
+ allows any non-core object, as well as PersistentVolumeClaim objects.
+ * While dataSource ignores disallowed values (dropping them), dataSourceRef
+ preserves all values, and generates an error if a disallowed value is
+ specified.
+ * While dataSource only allows local objects, dataSourceRef allows objects
+ in any namespaces.
+ (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+ (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
properties:
apiGroup:
- description: APIGroup is the
- group for the resource being
- referenced. If APIGroup is
- not specified, the specified
- Kind must be in the core API
- group. For any other third-party
- types, APIGroup is required.
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type
@@ -4430,35 +3857,22 @@ spec:
of resource being referenced
type: string
namespace:
- description: Namespace is the
- namespace of resource being
- referenced Note that when
- a namespace is specified,
- a gateway.networking.k8s.io/ReferenceGrant
- object is required in the
- referent namespace to allow
- that namespace's owner to
- accept the reference. See
- the ReferenceGrant documentation
- for details. (Alpha) This
- field requires the CrossNamespaceVolumeDataSource
- feature gate to be enabled.
+ description: |-
+ Namespace is the namespace of resource being referenced
+ Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+ (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
type: string
required:
- kind
- name
type: object
resources:
- description: 'resources represents
- the minimum resources the volume
- should have. If RecoverVolumeExpansionFailure
- feature is enabled users are allowed
- to specify resource requirements
- that are lower than previous value
- but must still be higher than
- capacity recorded in the status
- field of the claim. More info:
- https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
+ description: |-
+ resources represents the minimum resources the volume should have.
+ If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+ that are lower than previous value but must still be higher than capacity recorded in the
+ status field of the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
limits:
additionalProperties:
@@ -4467,10 +3881,9 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Limits describes
- the maximum amount of compute
- resources allowed. More info:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
@@ -4479,15 +3892,11 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Requests describes
- the minimum amount of compute
- resources required. If Requests
- is omitted for a container,
- it defaults to Limits if that
- is explicitly specified, otherwise
- to an implementation-defined
- value. Requests cannot exceed
- Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
selector:
@@ -4501,10 +3910,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -4513,24 +3920,15 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
@@ -4543,59 +3941,37 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
storageClassName:
- description: 'storageClassName is
- the name of the StorageClass required
- by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
+ description: |-
+ storageClassName is the name of the StorageClass required by the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
volumeAttributesClassName:
- description: 'volumeAttributesClassName
- may be used to set the VolumeAttributesClass
- used by this claim. If specified,
- the CSI driver will create or
- update the volume with the attributes
- defined in the corresponding VolumeAttributesClass.
- This has a different purpose than
- storageClassName, it can be changed
- after the claim is created. An
- empty string value means that
- no VolumeAttributesClass will
- be applied to the claim but it''s
- not allowed to reset this field
- to empty string once it is set.
- If unspecified and the PersistentVolumeClaim
- is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume
- controller if it exists. If the
- resource referred to by volumeAttributesClass
- does not exist, this PersistentVolumeClaim
- will be set to a Pending state,
- as reflected by the modifyVolumeStatus
- field, until such as a resource
- exists. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
- (Alpha) Using this field requires
- the VolumeAttributesClass feature
- gate to be enabled.'
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+ (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
type: string
volumeMode:
- description: volumeMode defines
- what type of volume is required
- by the claim. Value of Filesystem
- is implied when not included in
- claim spec.
+ description: |-
+ volumeMode defines what type of volume is required by the claim.
+ Value of Filesystem is implied when not included in claim spec.
type: string
volumeName:
description: volumeName is the binding
@@ -4613,13 +3989,11 @@ spec:
and then exposed to the pod.
properties:
fsType:
- description: 'fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified. TODO: how do
- we prevent errors in the filesystem from
- compromising the machine'
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target
@@ -4627,9 +4001,9 @@ spec:
format: int32
type: integer
readOnly:
- description: 'readOnly is Optional: Defaults
- to false (read/write). ReadOnly here will
- force the ReadOnly setting in VolumeMounts.'
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
type: boolean
targetWWNs:
description: 'targetWWNs is Optional: FC
@@ -4638,29 +4012,27 @@ spec:
type: string
type: array
wwids:
- description: 'wwids Optional: FC volume
- world wide identifiers (wwids) Either
- wwids or combination of targetWWNs and
- lun must be set, but not both simultaneously.'
+ description: |-
+ wwids Optional: FC volume world wide identifiers (wwids)
+ Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
items:
type: string
type: array
type: object
flexVolume:
- description: flexVolume represents a generic
- volume resource that is provisioned/attached
- using an exec based plugin.
+ description: |-
+ flexVolume represents a generic volume resource that is
+ provisioned/attached using an exec based plugin.
properties:
driver:
description: driver is the name of the driver
to use for this volume.
type: string
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". The default filesystem
- depends on FlexVolume script.
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
type: string
options:
additionalProperties:
@@ -4669,24 +4041,23 @@ spec:
field holds extra command options if any.'
type: object
readOnly:
- description: 'readOnly is Optional: defaults
- to false (read/write). ReadOnly here will
- force the ReadOnly setting in VolumeMounts.'
+ description: |-
+ readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
- description: 'secretRef is Optional: secretRef
- is reference to the secret object containing
- sensitive information to pass to the plugin
- scripts. This may be empty if no secret
- object is specified. If the secret object
- contains more than one secret, all secrets
- are passed to the plugin scripts.'
+ description: |-
+ secretRef is Optional: secretRef is reference to the secret object containing
+ sensitive information to pass to the plugin scripts. This may be
+ empty if no secret object is specified. If the secret object
+ contains more than one secret, all secrets are passed to the plugin
+ scripts.
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -4700,10 +4071,9 @@ spec:
running
properties:
datasetName:
- description: datasetName is Name of the
- dataset stored as metadata -> name on
- the dataset for Flocker should be considered
- as deprecated
+ description: |-
+ datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+ should be considered as deprecated
type: string
datasetUUID:
description: datasetUUID is the UUID of
@@ -4712,62 +4082,55 @@ spec:
type: string
type: object
gcePersistentDisk:
- description: 'gcePersistentDisk represents a
- GCE Disk resource that is attached to a kubelet''s
- host machine and then exposed to the pod.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ gcePersistentDisk represents a GCE Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
- description: 'fsType is filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
+ TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
- description: 'partition is the partition
- in the volume that you want to mount.
- If omitted, the default is to mount by
- volume name. Examples: For volume /dev/sda1,
- you specify the partition as "1". Similarly,
- the volume partition for /dev/sda is "0"
- (or you can leave the property empty).
- More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
format: int32
type: integer
pdName:
- description: 'pdName is unique name of the
- PD resource in GCE. Used to identify the
- disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: string
readOnly:
- description: 'readOnly here will force the
- ReadOnly setting in VolumeMounts. Defaults
- to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: boolean
required:
- pdName
type: object
gitRepo:
- description: 'gitRepo represents a git repository
- at a particular revision. DEPRECATED: GitRepo
- is deprecated. To provision a container with
- a git repo, mount an EmptyDir into an InitContainer
- that clones the repo using git, then mount
- the EmptyDir into the Pod''s container.'
+ description: |-
+ gitRepo represents a git repository at a particular revision.
+ DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+ into the Pod's container.
properties:
directory:
- description: directory is the target directory
- name. Must not contain or start with '..'. If
- '.' is supplied, the volume directory
- will be the git repository. Otherwise,
- if specified, the volume will contain
- the git repository in the subdirectory
- with the given name.
+ description: |-
+ directory is the target directory name.
+ Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
+ git repository. Otherwise, if specified, the volume will contain the git repository in
+ the subdirectory with the given name.
type: string
repository:
description: repository is the URL
@@ -4780,59 +4143,61 @@ spec:
- repository
type: object
glusterfs:
- description: 'glusterfs represents a Glusterfs
- mount on the host that shares a pod''s lifetime.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md'
+ description: |-
+ glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: 'endpoints is the endpoint
- name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
+ description: |-
+ endpoints is the endpoint name that details Glusterfs topology.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
path:
- description: 'path is the Glusterfs volume
- path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
+ description: |-
+ path is the Glusterfs volume path.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
readOnly:
- description: 'readOnly here will force the
- Glusterfs volume to be mounted with read-only
- permissions. Defaults to false. More info:
- https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
+ description: |-
+ readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: boolean
required:
- endpoints
- path
type: object
hostPath:
- description: 'hostPath represents a pre-existing
- file or directory on the host machine that
- is directly exposed to the container. This
- is generally used for system agents or other
- privileged things that are allowed to see
- the host machine. Most containers will NOT
- need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- --- TODO(jonesdl) We need to restrict who
- can use host directory mounts and who can/can
- not mount host directories as read/write.'
+ description: |-
+ hostPath represents a pre-existing file or directory on the host
+ machine that is directly exposed to the container. This is generally
+ used for system agents or other privileged things that are allowed
+ to see the host machine. Most containers will NOT need this.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ ---
+ TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+ mount host directories as read/write.
properties:
path:
- description: 'path of the directory on the
- host. If the path is a symlink, it will
- follow the link to the real path. More
- info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
+ description: |-
+ path of the directory on the host.
+ If the path is a symlink, it will follow the link to the real path.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
type:
- description: 'type for HostPath Volume Defaults
- to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
+ description: |-
+ type for HostPath Volume
+ Defaults to ""
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
required:
- path
type: object
iscsi:
- description: 'iscsi represents an ISCSI Disk
- resource that is attached to a kubelet''s
- host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md'
+ description: |-
+ iscsi represents an ISCSI Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://examples.k8s.io/volumes/iscsi/README.md
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether
@@ -4843,31 +4208,27 @@ spec:
support iSCSI Session CHAP authentication
type: boolean
fsType:
- description: 'fsType is the filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
+ TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
- description: initiatorName is the custom
- iSCSI Initiator Name. If initiatorName
- is specified with iscsiInterface simultaneously,
- new iSCSI interface : will be created for the connection.
+ description: |-
+ initiatorName is the custom iSCSI Initiator Name.
+ If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+ : will be created for the connection.
type: string
iqn:
description: iqn is the target iSCSI Qualified
Name.
type: string
iscsiInterface:
- description: iscsiInterface is the interface
- Name that uses an iSCSI transport. Defaults
- to 'default' (tcp).
+ description: |-
+ iscsiInterface is the interface Name that uses an iSCSI transport.
+ Defaults to 'default' (tcp).
type: string
lun:
description: lun represents iSCSI Target
@@ -4875,35 +4236,33 @@ spec:
format: int32
type: integer
portals:
- description: portals is the iSCSI Target
- Portal List. The portal is either an IP
- or ip_addr:port if the port is other than
- default (typically TCP ports 860 and 3260).
+ description: |-
+ portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
items:
type: string
type: array
readOnly:
- description: readOnly here will force the
- ReadOnly setting in VolumeMounts. Defaults
- to false.
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
type: boolean
secretRef:
description: secretRef is the CHAP Secret
for iSCSI target and initiator authentication
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
targetPortal:
- description: targetPortal is iSCSI Target
- Portal. The Portal is either an IP or
- ip_addr:port if the port is other than
- default (typically TCP ports 860 and 3260).
+ description: |-
+ targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
type: string
required:
- iqn
@@ -4911,48 +4270,51 @@ spec:
- targetPortal
type: object
name:
- description: 'name of the volume. Must be a
- DNS_LABEL and unique within the pod. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ name of the volume.
+ Must be a DNS_LABEL and unique within the pod.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
nfs:
- description: 'nfs represents an NFS mount on
- the host that shares a pod''s lifetime More
- info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ nfs represents an NFS mount on the host that shares a pod's lifetime
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
properties:
path:
- description: 'path that is exported by the
- NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ path that is exported by the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
readOnly:
- description: 'readOnly here will force the
- NFS export to be mounted with read-only
- permissions. Defaults to false. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ readOnly here will force the NFS export to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: boolean
server:
- description: 'server is the hostname or
- IP address of the NFS server. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ server is the hostname or IP address of the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
- description: 'persistentVolumeClaimVolumeSource
- represents a reference to a PersistentVolumeClaim
- in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+ description: |-
+ persistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
properties:
claimName:
- description: 'claimName is the name of a
- PersistentVolumeClaim in the same namespace
- as the pod using this volume. More info:
- https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
type: string
readOnly:
- description: readOnly Will force the ReadOnly
- setting in VolumeMounts. Default false.
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
type: boolean
required:
- claimName
@@ -4963,11 +4325,10 @@ spec:
and mounted on kubelets host machine
properties:
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
pdID:
description: pdID is the ID that identifies
@@ -4982,15 +4343,14 @@ spec:
machine
properties:
fsType:
- description: fSType represents the filesystem
- type to mount Must be a filesystem type
- supported by the host operating system.
- Ex. "ext4", "xfs". Implicitly inferred
- to be "ext4" if unspecified.
+ description: |-
+ fSType represents the filesystem type to mount
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
- description: readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
volumeID:
@@ -5006,18 +4366,13 @@ spec:
API
properties:
defaultMode:
- description: defaultMode are the mode bits
- used to set permissions on created files
- by default. Must be an octal value between
- 0000 and 0777 or a decimal value between
- 0 and 511. YAML accepts both octal and
- decimal values, JSON requires decimal
- values for mode bits. Directories within
- the path are not affected by this setting.
- This might be in conflict with other options
- that affect the file mode, like fsGroup,
- and the result can be other mode bits
- set.
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
sources:
@@ -5028,33 +4383,29 @@ spec:
along with other supported volume types
properties:
clusterTrustBundle:
- description: "ClusterTrustBundle allows
- a pod to access the `.spec.trustBundle`
- field of ClusterTrustBundle objects
- in an auto-updating file. \n Alpha,
- gated by the ClusterTrustBundleProjection
- feature gate. \n ClusterTrustBundle
- objects can either be selected by
- name, or by the combination of signer
- name and a label selector. \n Kubelet
- performs aggressive normalization
- of the PEM contents written into
- the pod filesystem. Esoteric PEM
- features such as inter-block comments
- and block headers are stripped.
- \ Certificates are deduplicated.
- The ordering of certificates within
- the file is arbitrary, and Kubelet
- may change the order over time."
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
properties:
labelSelector:
- description: Select all ClusterTrustBundles
- that match this label selector. Only
- has effect if signerName is
- set. Mutually-exclusive with
- name. If unset, interpreted
- as "match nothing". If set
- but empty, interpreted as "match
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
everything".
properties:
matchExpressions:
@@ -5063,12 +4414,9 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is
@@ -5077,28 +4425,16 @@ spec:
to.
type: string
operator:
- description: operator
- represents a key's
- relationship to a
- set of values. Valid
- operators are In,
- NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values
- is an array of string
- values. If the operator
- is In or NotIn, the
- values array must
- be non-empty. If the
- operator is Exists
- or DoesNotExist, the
- values array must
- be empty. This array
- is replaced during
- a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -5110,34 +4446,25 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in
- the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
name:
- description: Select a single ClusterTrustBundle
- by object name. Mutually-exclusive
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
with signerName and labelSelector.
type: string
optional:
- description: If true, don't block
- pod startup if the referenced
- ClusterTrustBundle(s) aren't
- available. If using name, then
- the named ClusterTrustBundle
- is allowed not to exist. If
- using signerName, then the combination
- of signerName and labelSelector
- is allowed to match zero ClusterTrustBundles.
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
type: boolean
path:
description: Relative path from
@@ -5145,11 +4472,10 @@ spec:
bundle.
type: string
signerName:
- description: Select all ClusterTrustBundles
- that match this signer name.
- Mutually-exclusive with name. The
- contents of all selected ClusterTrustBundles
- will be unified and deduplicated.
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
type: string
required:
- path
@@ -5159,23 +4485,14 @@ spec:
about the configMap data to project
properties:
items:
- description: items if unspecified,
- each key-value pair in the Data
- field of the referenced ConfigMap
- will be projected into the volume
- as a file whose name is the
- key and content is the value.
- If specified, the listed keys
- will be projected into the specified
- paths, and unlisted keys will
- not be present. If a key is
- specified which is not present
- in the ConfigMap, the volume
- setup will error unless it is
- marked optional. Paths must
- be relative and may not contain
- the '..' path or start with
- '..'.
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key
to a path within a volume.
@@ -5185,35 +4502,21 @@ spec:
key to project.
type: string
mode:
- description: 'mode is Optional:
- mode bits used to set
- permissions on this file.
- Must be an octal value
- between 0000 and 0777
- or a decimal value between
- 0 and 511. YAML accepts
- both octal and decimal
- values, JSON requires
- decimal values for mode
- bits. If not specified,
- the volume defaultMode
- will be used. This might
- be in conflict with other
- options that affect the
- file mode, like fsGroup,
- and the result can be
- other mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the
- relative path of the file
- to map the key to. May
- not be an absolute path.
- May not contain the path
- element '..'. May not
- start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
@@ -5221,10 +4524,10 @@ spec:
type: object
type: array
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields.
- apiVersion, kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify
@@ -5271,24 +4574,13 @@ spec:
type: object
x-kubernetes-map-type: atomic
mode:
- description: 'Optional:
- mode bits used to set
- permissions on this file,
- must be an octal value
- between 0000 and 0777
- or a decimal value between
- 0 and 511. YAML accepts
- both octal and decimal
- values, JSON requires
- decimal values for mode
- bits. If not specified,
- the volume defaultMode
- will be used. This might
- be in conflict with other
- options that affect the
- file mode, like fsGroup,
- and the result can be
- other mode bits set.'
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
@@ -5304,13 +4596,9 @@ spec:
''..'''
type: string
resourceFieldRef:
- description: 'Selects a
- resource of the container:
- only resources limits
- and requests (limits.cpu,
- limits.memory, requests.cpu
- and requests.memory) are
- currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container
@@ -5346,22 +4634,14 @@ spec:
the secret data to project
properties:
items:
- description: items if unspecified,
- each key-value pair in the Data
- field of the referenced Secret
- will be projected into the volume
- as a file whose name is the
- key and content is the value.
- If specified, the listed keys
- will be projected into the specified
- paths, and unlisted keys will
- not be present. If a key is
- specified which is not present
- in the Secret, the volume setup
- will error unless it is marked
- optional. Paths must be relative
- and may not contain the '..'
- path or start with '..'.
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key
to a path within a volume.
@@ -5371,35 +4651,21 @@ spec:
key to project.
type: string
mode:
- description: 'mode is Optional:
- mode bits used to set
- permissions on this file.
- Must be an octal value
- between 0000 and 0777
- or a decimal value between
- 0 and 511. YAML accepts
- both octal and decimal
- values, JSON requires
- decimal values for mode
- bits. If not specified,
- the volume defaultMode
- will be used. This might
- be in conflict with other
- options that affect the
- file mode, like fsGroup,
- and the result can be
- other mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the
- relative path of the file
- to map the key to. May
- not be an absolute path.
- May not contain the path
- element '..'. May not
- start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
@@ -5407,10 +4673,10 @@ spec:
type: object
type: array
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields.
- apiVersion, kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify
@@ -5425,37 +4691,26 @@ spec:
data to project
properties:
audience:
- description: audience is the intended
- audience of the token. A recipient
- of a token must identify itself
- with an identifier specified
- in the audience of the token,
- and otherwise should reject
- the token. The audience defaults
- to the identifier of the apiserver.
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
type: string
expirationSeconds:
- description: expirationSeconds
- is the requested duration of
- validity of the service account
- token. As the token approaches
- expiration, the kubelet volume
- plugin will proactively rotate
- the service account token. The
- kubelet will start trying to
- rotate the token if the token
- is older than 80 percent of
- its time to live or if the token
- is older than 24 hours.Defaults
- to 1 hour and must be at least
- 10 minutes.
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
format: int64
type: integer
path:
- description: path is the path
- relative to the mount point
- of the file to project the token
- into.
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
type: string
required:
- path
@@ -5468,30 +4723,29 @@ spec:
on the host that shares a pod's lifetime
properties:
group:
- description: group to map volume access
- to Default is no group
+ description: |-
+ group to map volume access to
+ Default is no group
type: string
readOnly:
- description: readOnly here will force the
- Quobyte volume to be mounted with read-only
- permissions. Defaults to false.
+ description: |-
+ readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+ Defaults to false.
type: boolean
registry:
- description: registry represents a single
- or multiple Quobyte Registry services
- specified as a string as host:port pair
- (multiple entries are separated with commas)
- which acts as the central registry for
- volumes
+ description: |-
+ registry represents a single or multiple Quobyte Registry services
+ specified as a string as host:port pair (multiple entries are separated with commas)
+ which acts as the central registry for volumes
type: string
tenant:
- description: tenant owning the given Quobyte
- volume in the Backend Used with dynamically
- provisioned Quobyte volumes, value is
- set by the plugin
+ description: |-
+ tenant owning the given Quobyte volume in the Backend
+ Used with dynamically provisioned Quobyte volumes, value is set by the plugin
type: string
user:
- description: user to map volume access to
+ description: |-
+ user to map volume access to
Defaults to serivceaccount user
type: string
volume:
@@ -5503,61 +4757,68 @@ spec:
- volume
type: object
rbd:
- description: 'rbd represents a Rados Block Device
- mount on the host that shares a pod''s lifetime.
- More info: https://examples.k8s.io/volumes/rbd/README.md'
+ description: |-
+ rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
- description: 'fsType is the filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
+ TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
- description: 'image is the rados image name.
- More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ image is the rados image name.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
- description: 'keyring is the path to key
- ring for RBDUser. Default is /etc/ceph/keyring.
- More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ keyring is the path to key ring for RBDUser.
+ Default is /etc/ceph/keyring.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
monitors:
- description: 'monitors is a collection of
- Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ monitors is a collection of Ceph monitors.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
items:
type: string
type: array
pool:
- description: 'pool is the rados pool name.
- Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ pool is the rados pool name.
+ Default is rbd.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
readOnly:
- description: 'readOnly here will force the
- ReadOnly setting in VolumeMounts. Defaults
- to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: boolean
secretRef:
- description: 'secretRef is name of the authentication
- secret for RBDUser. If provided overrides
- keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ secretRef is name of the authentication secret for RBDUser. If provided
+ overrides keyring.
+ Default is nil.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
- description: 'user is the rados user name.
- Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ user is the rados user name.
+ Default is admin.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
required:
- image
@@ -5569,10 +4830,11 @@ spec:
nodes.
properties:
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Default is "xfs".
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs".
+ Default is "xfs".
type: string
gateway:
description: gateway is the host address
@@ -5584,21 +4846,20 @@ spec:
configured storage.
type: string
readOnly:
- description: readOnly Defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
- description: secretRef references to the
- secret for ScaleIO user and other sensitive
- information. If this is not provided,
- Login operation will fail.
+ description: |-
+ secretRef references to the secret for ScaleIO user and other
+ sensitive information. If this is not provided, Login operation will fail.
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5608,9 +4869,9 @@ spec:
false
type: boolean
storageMode:
- description: storageMode indicates whether
- the storage for a volume should be ThickProvisioned
- or ThinProvisioned. Default is ThinProvisioned.
+ description: |-
+ storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+ Default is ThinProvisioned.
type: string
storagePool:
description: storagePool is the ScaleIO
@@ -5622,10 +4883,9 @@ spec:
system as configured in ScaleIO.
type: string
volumeName:
- description: volumeName is the name of a
- volume already created in the ScaleIO
- system that is associated with this volume
- source.
+ description: |-
+ volumeName is the name of a volume already created in the ScaleIO system
+ that is associated with this volume source.
type: string
required:
- gateway
@@ -5633,38 +4893,30 @@ spec:
- system
type: object
secret:
- description: 'secret represents a secret that
- should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+ description: |-
+ secret represents a secret that should populate this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
properties:
defaultMode:
- description: 'defaultMode is Optional: mode
- bits used to set permissions on created
- files by default. Must be an octal value
- between 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts both octal
- and decimal values, JSON requires decimal
- values for mode bits. Defaults to 0644.
- Directories within the path are not affected
- by this setting. This might be in conflict
- with other options that affect the file
- mode, like fsGroup, and the result can
- be other mode bits set.'
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
- description: items If unspecified, each
- key-value pair in the Data field of the
- referenced Secret will be projected into
- the volume as a file whose name is the
- key and content is the value. If specified,
- the listed keys will be projected into
- the specified paths, and unlisted keys
- will not be present. If a key is specified
- which is not present in the Secret, the
- volume setup will error unless it is marked
- optional. Paths must be relative and may
- not contain the '..' path or start with
- '..'.
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
@@ -5673,28 +4925,21 @@ spec:
description: key is the key to project.
type: string
mode:
- description: 'mode is Optional: mode
- bits used to set permissions on
- this file. Must be an octal value
- between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts
- both octal and decimal values, JSON
- requires decimal values for mode
- bits. If not specified, the volume
- defaultMode will be used. This might
- be in conflict with other options
- that affect the file mode, like
- fsGroup, and the result can be other
- mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the relative
- path of the file to map the key
- to. May not be an absolute path.
- May not contain the path element
- '..'. May not start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
@@ -5706,9 +4951,9 @@ spec:
the Secret or its keys must be defined
type: boolean
secretName:
- description: 'secretName is the name of
- the secret in the pod''s namespace to
- use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
type: string
type: object
storageos:
@@ -5717,48 +4962,42 @@ spec:
nodes.
properties:
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
- description: readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
- description: secretRef specifies the secret
- to use for obtaining the StorageOS API
- credentials. If not specified, default
- values will be attempted.
+ description: |-
+ secretRef specifies the secret to use for obtaining the StorageOS API
+ credentials. If not specified, default values will be attempted.
properties:
name:
- description: 'Name of the referent.
+ description: |-
+ Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
volumeName:
- description: volumeName is the human-readable
- name of the StorageOS volume. Volume
+ description: |-
+ volumeName is the human-readable name of the StorageOS volume. Volume
names are only unique within a namespace.
type: string
volumeNamespace:
- description: volumeNamespace specifies the
- scope of the volume within StorageOS. If
- no namespace is specified then the Pod's
- namespace will be used. This allows the
- Kubernetes name scoping to be mirrored
- within StorageOS for tighter integration.
- Set VolumeName to any name to override
- the default behaviour. Set to "default"
- if you are not using namespaces within
- StorageOS. Namespaces that do not pre-exist
- within StorageOS will be created.
+ description: |-
+ volumeNamespace specifies the scope of the volume within StorageOS. If no
+ namespace is specified then the Pod's namespace will be used. This allows the
+ Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+ Set VolumeName to any name to override the default behaviour.
+ Set to "default" if you are not using namespaces within StorageOS.
+ Namespaces that do not pre-exist within StorageOS will be created.
type: string
type: object
vsphereVolume:
@@ -5767,11 +5006,10 @@ spec:
machine
properties:
fsType:
- description: fsType is filesystem type to
- mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
storagePolicyID:
description: storagePolicyID is the storage
@@ -5805,49 +5043,45 @@ spec:
existing pods with new ones.
properties:
rollingUpdate:
- description: 'Rolling update config params. Present
- only if DeploymentStrategyType = RollingUpdate.
- --- TODO: Update this to follow our convention for
- oneOf, whatever we decide it to be.'
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ ---
+ TODO: Update this to follow our convention for oneOf, whatever we decide it
+ to be.
properties:
maxSurge:
anyOf:
- type: integer
- type: string
- description: 'The maximum number of pods that
- can be scheduled above the desired number of
- pods. Value can be an absolute number (ex: 5)
- or a percentage of desired pods (ex: 10%). This
- can not be 0 if MaxUnavailable is 0. Absolute
- number is calculated from percentage by rounding
- up. Defaults to 25%. Example: when this is set
- to 30%, the new ReplicaSet can be scaled up
- immediately when the rolling update starts,
- such that the total number of old and new pods
- do not exceed 130% of desired pods. Once old
- pods have been killed, new ReplicaSet can be
- scaled up further, ensuring that total number
- of pods running at any time during the update
- is at most 130% of desired pods.'
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
- description: 'The maximum number of pods that
- can be unavailable during the update. Value
- can be an absolute number (ex: 5) or a percentage
- of desired pods (ex: 10%). Absolute number is
- calculated from percentage by rounding down.
- This can not be 0 if MaxSurge is 0. Defaults
- to 25%. Example: when this is set to 30%, the
- old ReplicaSet can be scaled down to 70% of
- desired pods immediately when the rolling update
- starts. Once new pods are ready, old ReplicaSet
- can be scaled down further, followed by scaling
- up the new ReplicaSet, ensuring that the total
- number of pods available at all times during
- the update is at least 70% of desired pods.'
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
x-kubernetes-int-or-string: true
type: object
type:
@@ -5857,40 +5091,37 @@ spec:
type: object
type: object
envoyHpa:
- description: EnvoyHpa defines the Horizontal Pod Autoscaler
- settings for Envoy Proxy Deployment. Once the HPA is being
- set, Replicas field from EnvoyDeployment will be ignored.
+ description: |-
+ EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
+ Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored.
properties:
behavior:
- description: behavior configures the scaling behavior
- of the target in both Up and Down directions (scaleUp
- and scaleDown fields respectively). If not set, the
- default HPAScalingRules for scale up and scale down
- are used. See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior.
+ description: |-
+ behavior configures the scaling behavior of the target
+ in both Up and Down directions (scaleUp and scaleDown fields respectively).
+ If not set, the default HPAScalingRules for scale up and scale down are used.
+ See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior.
properties:
scaleDown:
- description: scaleDown is scaling policy for scaling
- Down. If not set, the default value is to allow
- to scale down to minReplicas pods, with a 300 second
- stabilization window (i.e., the highest recommendation
- for the last 300sec is used).
+ description: |-
+ scaleDown is scaling policy for scaling Down.
+ If not set, the default value is to allow to scale down to minReplicas pods, with a
+ 300 second stabilization window (i.e., the highest recommendation for
+ the last 300sec is used).
properties:
policies:
- description: policies is a list of potential scaling
- polices which can be used during scaling. At
- least one policy must be specified, otherwise
- the HPAScalingRules will be discarded as invalid
+ description: |-
+ policies is a list of potential scaling polices which can be used during scaling.
+ At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past
interval.
properties:
periodSeconds:
- description: periodSeconds specifies the
- window of time for which the policy should
- hold true. PeriodSeconds must be greater
- than zero and less than or equal to 1800
- (30 min).
+ description: |-
+ periodSeconds specifies the window of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
format: int32
type: integer
type:
@@ -5898,8 +5129,8 @@ spec:
scaling policy.
type: string
value:
- description: value contains the amount of
- change which is permitted by the policy.
+ description: |-
+ value contains the amount of change which is permitted by the policy.
It must be greater than zero
format: int32
type: integer
@@ -5911,46 +5142,42 @@ spec:
type: array
x-kubernetes-list-type: atomic
selectPolicy:
- description: selectPolicy is used to specify which
- policy should be used. If not set, the default
- value Max is used.
+ description: |-
+ selectPolicy is used to specify which policy should be used.
+ If not set, the default value Max is used.
type: string
stabilizationWindowSeconds:
- description: 'stabilizationWindowSeconds is the
- number of seconds for which past recommendations
- should be considered while scaling up or scaling
- down. StabilizationWindowSeconds must be greater
- than or equal to zero and less than or equal
- to 3600 (one hour). If not set, use the default
- values: - For scale up: 0 (i.e. no stabilization
- is done). - For scale down: 300 (i.e. the stabilization
- window is 300 seconds long).'
+ description: |-
+ stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+ considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+ If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
format: int32
type: integer
type: object
scaleUp:
- description: 'scaleUp is scaling policy for scaling
- Up. If not set, the default value is the higher
- of: * increase no more than 4 pods per 60 seconds
- * double the number of pods per 60 seconds No stabilization
- is used.'
+ description: |-
+ scaleUp is scaling policy for scaling Up.
+ If not set, the default value is the higher of:
+ * increase no more than 4 pods per 60 seconds
+ * double the number of pods per 60 seconds
+ No stabilization is used.
properties:
policies:
- description: policies is a list of potential scaling
- polices which can be used during scaling. At
- least one policy must be specified, otherwise
- the HPAScalingRules will be discarded as invalid
+ description: |-
+ policies is a list of potential scaling polices which can be used during scaling.
+ At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past
interval.
properties:
periodSeconds:
- description: periodSeconds specifies the
- window of time for which the policy should
- hold true. PeriodSeconds must be greater
- than zero and less than or equal to 1800
- (30 min).
+ description: |-
+ periodSeconds specifies the window of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
format: int32
type: integer
type:
@@ -5958,8 +5185,8 @@ spec:
scaling policy.
type: string
value:
- description: value contains the amount of
- change which is permitted by the policy.
+ description: |-
+ value contains the amount of change which is permitted by the policy.
It must be greater than zero
format: int32
type: integer
@@ -5971,55 +5198,50 @@ spec:
type: array
x-kubernetes-list-type: atomic
selectPolicy:
- description: selectPolicy is used to specify which
- policy should be used. If not set, the default
- value Max is used.
+ description: |-
+ selectPolicy is used to specify which policy should be used.
+ If not set, the default value Max is used.
type: string
stabilizationWindowSeconds:
- description: 'stabilizationWindowSeconds is the
- number of seconds for which past recommendations
- should be considered while scaling up or scaling
- down. StabilizationWindowSeconds must be greater
- than or equal to zero and less than or equal
- to 3600 (one hour). If not set, use the default
- values: - For scale up: 0 (i.e. no stabilization
- is done). - For scale down: 300 (i.e. the stabilization
- window is 300 seconds long).'
+ description: |-
+ stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+ considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+ If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
format: int32
type: integer
type: object
type: object
maxReplicas:
- description: maxReplicas is the upper limit for the number
- of replicas to which the autoscaler can scale up. It
- cannot be less that minReplicas.
+ description: |-
+ maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+ It cannot be less that minReplicas.
format: int32
type: integer
x-kubernetes-validations:
- message: maxReplicas must be greater than 0
rule: self > 0
metrics:
- description: metrics contains the specifications for which
- to use to calculate the desired replica count (the maximum
- replica count across all metrics will be used). If left
- empty, it defaults to being based on CPU utilization
- with average on 80% usage.
+ description: |-
+ metrics contains the specifications for which to use to calculate the
+ desired replica count (the maximum replica count across all metrics will
+ be used).
+ If left empty, it defaults to being based on CPU utilization with average on 80% usage.
items:
- description: MetricSpec specifies how to scale based
- on a single metric (only `type` and one other matching
- field should be set at once).
+ description: |-
+ MetricSpec specifies how to scale based on a single metric
+ (only `type` and one other matching field should be set at once).
properties:
containerResource:
- description: containerResource refers to a resource
- metric (such as those specified in requests and
- limits) known to Kubernetes describing a single
- container in each pod of the current scale target
- (e.g. CPU or memory). Such metrics are built in
- to Kubernetes, and have special scaling options
- on top of those available to normal per-pod metrics
- using the "pods" source. This is an alpha feature
- and can be enabled by the HPAContainerMetrics
- feature flag.
+ description: |-
+ containerResource refers to a resource metric (such as those specified in
+ requests and limits) known to Kubernetes describing a single container in
+ each pod of the current scale target (e.g. CPU or memory). Such metrics are
+ built in to Kubernetes, and have special scaling options on top of those
+ available to normal per-pod metrics using the "pods" source.
+ This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
properties:
container:
description: container is the name of the container
@@ -6034,22 +5256,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6074,12 +5294,12 @@ spec:
- target
type: object
external:
- description: external refers to a global metric
- that is not associated with any Kubernetes object.
- It allows autoscaling based on information coming
- from components running outside of cluster (for
- example length of queue in cloud messaging service,
- or QPS from loadbalancer running outside of cluster).
+ description: |-
+ external refers to a global metric that is not associated
+ with any Kubernetes object. It allows autoscaling based on information
+ coming from components running outside of cluster
+ (for example length of queue in cloud messaging service, or
+ QPS from loadbalancer running outside of cluster).
properties:
metric:
description: metric identifies the target metric
@@ -6090,23 +5310,19 @@ spec:
metric
type: string
selector:
- description: selector is the string-encoded
- form of a standard kubernetes label selector
- for the given metric When set, it is passed
- as an additional parameter to the metrics
- server for more specific metrics scoping.
- When unset, just the metricName will be
- used to gather metrics.
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -6114,20 +5330,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty.
- This array is replaced during
- a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -6139,14 +5351,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of
- {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are
- ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6158,22 +5366,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6197,9 +5403,9 @@ spec:
- target
type: object
object:
- description: object refers to a metric describing
- a single kubernetes object (for example, hits-per-second
- on an Ingress object).
+ description: |-
+ object refers to a metric describing a single kubernetes object
+ (for example, hits-per-second on an Ingress object).
properties:
describedObject:
description: describedObject specifies the descriptions
@@ -6230,23 +5436,19 @@ spec:
metric
type: string
selector:
- description: selector is the string-encoded
- form of a standard kubernetes label selector
- for the given metric When set, it is passed
- as an additional parameter to the metrics
- server for more specific metrics scoping.
- When unset, just the metricName will be
- used to gather metrics.
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -6254,20 +5456,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty.
- This array is replaced during
- a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -6279,14 +5477,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of
- {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are
- ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6298,22 +5492,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6338,11 +5530,10 @@ spec:
- target
type: object
pods:
- description: pods refers to a metric describing
- each pod in the current scale target (for example,
- transactions-processed-per-second). The values
- will be averaged together before being compared
- to the target value.
+ description: |-
+ pods refers to a metric describing each pod in the current scale target
+ (for example, transactions-processed-per-second). The values will be
+ averaged together before being compared to the target value.
properties:
metric:
description: metric identifies the target metric
@@ -6353,23 +5544,19 @@ spec:
metric
type: string
selector:
- description: selector is the string-encoded
- form of a standard kubernetes label selector
- for the given metric When set, it is passed
- as an additional parameter to the metrics
- server for more specific metrics scoping.
- When unset, just the metricName will be
- used to gather metrics.
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -6377,20 +5564,16 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty.
- This array is replaced during
- a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -6402,14 +5585,10 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of
- {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are
- ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6421,22 +5600,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6460,13 +5637,12 @@ spec:
- target
type: object
resource:
- description: resource refers to a resource metric
- (such as those specified in requests and limits)
- known to Kubernetes describing each pod in the
- current scale target (e.g. CPU or memory). Such
- metrics are built in to Kubernetes, and have special
- scaling options on top of those available to normal
- per-pod metrics using the "pods" source.
+ description: |-
+ resource refers to a resource metric (such as those specified in
+ requests and limits) known to Kubernetes describing each pod in the
+ current scale target (e.g. CPU or memory). Such metrics are built in to
+ Kubernetes, and have special scaling options on top of those available
+ to normal per-pod metrics using the "pods" source.
properties:
name:
description: name is the name of the resource
@@ -6477,22 +5653,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6516,21 +5690,20 @@ spec:
- target
type: object
type:
- description: 'type is the type of metric source. It
- should be one of "ContainerResource", "External",
- "Object", "Pods" or "Resource", each mapping to
- a matching field in the object. Note: "ContainerResource"
- type is available on when the feature-gate HPAContainerMetrics
- is enabled'
+ description: |-
+ type is the type of metric source. It should be one of "ContainerResource", "External",
+ "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+ Note: "ContainerResource" type is available on when the feature-gate
+ HPAContainerMetrics is enabled
type: string
required:
- type
type: object
type: array
minReplicas:
- description: minReplicas is the lower limit for the number
- of replicas to which the autoscaler can scale down.
- It defaults to 1 replica.
+ description: |-
+ minReplicas is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 replica.
format: int32
type: integer
x-kubernetes-validations:
@@ -6543,52 +5716,47 @@ spec:
- message: maxReplicas cannot be less than minReplicas
rule: '!has(self.minReplicas) || self.maxReplicas >= self.minReplicas'
envoyService:
- description: EnvoyService defines the desired state of the
- Envoy service resource. If unspecified, default settings
- for the managed Envoy service resource are applied.
+ description: |-
+ EnvoyService defines the desired state of the Envoy service resource.
+ If unspecified, default settings for the managed Envoy service resource
+ are applied.
properties:
allocateLoadBalancerNodePorts:
- description: AllocateLoadBalancerNodePorts defines if
- NodePorts will be automatically allocated for services
- with type LoadBalancer. Default is "true". It may be
- set to "false" if the cluster load-balancer does not
- rely on NodePorts. If the caller requests specific NodePorts
- (by specifying a value), those requests will be respected,
- regardless of this field. This field may only be set
- for services with type LoadBalancer and will be cleared
- if the type is changed to any other type.
+ description: |-
+ AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
+ services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
+ load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
+ value), those requests will be respected, regardless of this field. This field may only be set for
+ services with type LoadBalancer and will be cleared if the type is changed to any other type.
type: boolean
annotations:
additionalProperties:
type: string
- description: Annotations that should be appended to the
- service. By default, no annotations are appended.
+ description: |-
+ Annotations that should be appended to the service.
+ By default, no annotations are appended.
type: object
externalTrafficPolicy:
default: Local
- description: ExternalTrafficPolicy determines the externalTrafficPolicy
- for the Envoy Service. Valid options are Local and Cluster.
- Default is "Local". "Local" means traffic will only
- go to pods on the node receiving the traffic. "Cluster"
- means connections are loadbalanced to all pods in the
- cluster.
+ description: |-
+ ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
+ are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
+ receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster.
enum:
- Local
- Cluster
type: string
loadBalancerClass:
- description: LoadBalancerClass, when specified, allows
- for choosing the LoadBalancer provider implementation
- if more than one are available or is otherwise expected
- to be specified
+ description: |-
+ LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
+ implementation if more than one are available or is otherwise expected to be specified
type: string
loadBalancerIP:
- description: LoadBalancerIP defines the IP Address of
- the underlying load balancer service. This field may
- be ignored if the load balancer provider does not support
- this feature. This field has been deprecated in Kubernetes,
- but it is still used for setting the IP Address in some
- cloud providers such as GCP.
+ description: |-
+ LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
+ may be ignored if the load balancer provider does not support this feature.
+ This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
+ providers such as GCP.
type: string
x-kubernetes-validations:
- message: loadBalancerIP must be a valid IPv4 address
@@ -6598,9 +5766,11 @@ spec:
to the service
properties:
type:
- description: "Type is the type of merge operation
- to perform \n By default, StrategicMerge is used
- as the patch type."
+ description: |-
+ Type is the type of merge operation to perform
+
+
+ By default, StrategicMerge is used as the patch type.
type: string
value:
description: Object contains the raw configuration
@@ -6611,14 +5781,12 @@ spec:
type: object
type:
default: LoadBalancer
- description: Type determines how the Service is exposed.
- Defaults to LoadBalancer. Valid options are ClusterIP,
- LoadBalancer and NodePort. "LoadBalancer" means a service
- will be exposed via an external load balancer (if the
- cloud provider supports it). "ClusterIP" means a service
- will only be accessible inside the cluster, via the
- cluster IP. "NodePort" means a service will be exposed
- on a static Port on all Nodes of the cluster.
+ description: |-
+ Type determines how the Service is exposed. Defaults to LoadBalancer.
+ Valid options are ClusterIP, LoadBalancer and NodePort.
+ "LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
+ "ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
+ "NodePort" means a service will be exposed on a static Port on all Nodes of the cluster.
enum:
- ClusterIP
- LoadBalancer
@@ -6635,10 +5803,10 @@ spec:
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
type: object
type:
- description: Type is the type of resource provider to use. A resource
- provider provides infrastructure resources for running the data
- plane, e.g. Envoy proxy, and optional auxiliary control planes.
- Supported types are "Kubernetes".
+ description: |-
+ Type is the type of resource provider to use. A resource provider provides
+ infrastructure resources for running the data plane, e.g. Envoy proxy, and
+ optional auxiliary control planes. Supported types are "Kubernetes".
enum:
- Kubernetes
type: string
@@ -6650,30 +5818,32 @@ spec:
process.
properties:
drainTimeout:
- description: DrainTimeout defines the graceful drain timeout.
- This should be less than the pod's terminationGracePeriodSeconds.
+ description: |-
+ DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 600 seconds.
type: string
minDrainDuration:
- description: MinDrainDuration defines the minimum drain duration
- allowing time for endpoint deprogramming to complete. If unspecified,
- defaults to 5 seconds.
+ description: |-
+ MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
+ If unspecified, defaults to 5 seconds.
type: string
type: object
telemetry:
description: Telemetry defines telemetry parameters for managed proxies.
properties:
accessLog:
- description: AccessLogs defines accesslog parameters for managed
- proxies. If unspecified, will send default format to stdout.
+ description: |-
+ AccessLogs defines accesslog parameters for managed proxies.
+ If unspecified, will send default format to stdout.
properties:
disable:
description: Disable disables access logging for managed proxies
if set to true.
type: boolean
settings:
- description: Settings defines accesslog settings for managed
- proxies. If unspecified, will send default format to stdout.
+ description: |-
+ Settings defines accesslog settings for managed proxies.
+ If unspecified, will send default format to stdout.
items:
properties:
format:
@@ -6682,21 +5852,18 @@ spec:
json:
additionalProperties:
type: string
- description: JSON is additional attributes that
- describe the specific event occurrence. Structured
- format for the envoy access logs. Envoy [command
- operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
+ description: |-
+ JSON is additional attributes that describe the specific event occurrence.
+ Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON".
type: object
text:
- description: Text defines the text accesslog format,
- following Envoy accesslog formatting, It's required
- when the format type is "Text". Envoy [command
- operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
- may be used in the format. The [format string
- documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
- provides more information.
+ description: |-
+ Text defines the text accesslog format, following Envoy accesslog formatting,
+ It's required when the format type is "Text".
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
type: string
type:
description: Type defines the type of accesslog
@@ -6732,28 +5899,112 @@ spec:
description: OpenTelemetry defines the OpenTelemetry
accesslog sink.
properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the accesslog will be sent.
+ Only service Kind is supported for now.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
host:
- description: Host define the extension service
- hostname.
+ description: |-
+ Host define the extension service hostname.
+ Deprecated: Use BackendRef instead.
type: string
port:
default: 4317
- description: Port defines the port the extension
- service is exposed on.
+ description: |-
+ Port defines the port the extension service is exposed on.
+ Deprecated: Use BackendRef instead.
format: int32
minimum: 0
type: integer
resources:
additionalProperties:
type: string
- description: Resources is a set of labels
- that describe the source of a log entry,
- including envoy node info. It's recommended
- to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
+ description: |-
+ Resources is a set of labels that describe the source of a log entry, including envoy node info.
+ It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
type: object
required:
- host
type: object
+ x-kubernetes-validations:
+ - message: BackendRef only support Service Kind.
+ rule: '!has(self.backendRef) || !has(self.backendRef.kind)
+ || self.backendRef.kind == ''Service'''
type:
description: Type defines the type of accesslog
sink.
@@ -6788,19 +6039,18 @@ spec:
for virtual hosts.
type: boolean
matches:
- description: 'Matches defines configuration for selecting
- specific metrics instead of generating all metrics stats
- that are enabled by default. This helps reduce CPU and memory
- overhead in Envoy, but eliminating some stats may after
- critical functionality. Here are the stats that we strongly
- recommend not disabling: `cluster_manager.warming_clusters`,
- `cluster..membership_total`,`cluster..membership_healthy`,
+ description: |-
+ Matches defines configuration for selecting specific metrics instead of generating all metrics stats
+ that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
+ may after critical functionality. Here are the stats that we strongly recommend not disabling:
+ `cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
- https://github.com/envoyproxy/envoy/issues/14610'
+ https://github.com/envoyproxy/envoy/issues/14610
items:
- description: StringMatch defines how to match any strings.
- This is a general purpose match condition that can be
- used by other EG APIs that need to match against a string.
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
properties:
type:
default: Exact
@@ -6833,21 +6083,104 @@ spec:
description: Sinks defines the metric sinks where metrics
are sent to.
items:
- description: ProxyMetricSink defines the sink of metrics.
+ description: |-
+ ProxyMetricSink defines the sink of metrics.
Default metrics sink is OpenTelemetry.
properties:
openTelemetry:
- description: OpenTelemetry defines the configuration
- for OpenTelemetry sink. It's required if the sink
- type is OpenTelemetry.
+ description: |-
+ OpenTelemetry defines the configuration for OpenTelemetry sink.
+ It's required if the sink type is OpenTelemetry.
properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the metric will be sent.
+ Only service Kind is supported for now.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind ==
+ ''Service'') ? has(self.port) : true'
host:
- description: Host define the service hostname.
+ description: |-
+ Host define the service hostname.
+ Deprecated: Use BackendRef instead.
type: string
port:
default: 4317
- description: Port defines the port the service is
- exposed on.
+ description: |-
+ Port defines the port the service is exposed on.
+ Deprecated: Use BackendRef instead.
format: int32
maximum: 65535
minimum: 0
@@ -6855,10 +6188,15 @@ spec:
required:
- host
type: object
+ x-kubernetes-validations:
+ - message: BackendRef only support Service Kind.
+ rule: '!has(self.backendRef) || !has(self.backendRef.kind)
+ || self.backendRef.kind == ''Service'''
type:
default: OpenTelemetry
- description: Type defines the metric sink type. EG currently
- only supports OpenTelemetry.
+ description: |-
+ Type defines the metric sink type.
+ EG currently only supports OpenTelemetry.
enum:
- OpenTelemetry
type: string
@@ -6873,16 +6211,17 @@ spec:
type: array
type: object
tracing:
- description: Tracing defines tracing configuration for managed
- proxies. If unspecified, will not send tracing data.
+ description: |-
+ Tracing defines tracing configuration for managed proxies.
+ If unspecified, will not send tracing data.
properties:
customTags:
additionalProperties:
properties:
environment:
- description: Environment adds value from environment
- variable to each span. It's required when the type
- is "Environment".
+ description: |-
+ Environment adds value from environment variable to each span.
+ It's required when the type is "Environment".
properties:
defaultValue:
description: DefaultValue defines the default value
@@ -6896,7 +6235,8 @@ spec:
- name
type: object
literal:
- description: Literal adds hard-coded value to each span.
+ description: |-
+ Literal adds hard-coded value to each span.
It's required when the type is "Literal".
properties:
value:
@@ -6907,8 +6247,9 @@ spec:
- value
type: object
requestHeader:
- description: RequestHeader adds value from request header
- to each span. It's required when the type is "RequestHeader".
+ description: |-
+ RequestHeader adds value from request header to each span.
+ It's required when the type is "RequestHeader".
properties:
defaultValue:
description: DefaultValue defines the default value
@@ -6932,28 +6273,112 @@ spec:
required:
- type
type: object
- description: CustomTags defines the custom tags to add to
- each span. If provider is kubernetes, pod name and namespace
- are added by default.
+ description: |-
+ CustomTags defines the custom tags to add to each span.
+ If provider is kubernetes, pod name and namespace are added by default.
type: object
provider:
- description: Provider defines the tracing provider. Only OpenTelemetry
- is supported currently.
+ description: |-
+ Provider defines the tracing provider.
+ Only OpenTelemetry is supported currently.
properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the accesslog will be sent.
+ Only service Kind is supported for now.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
host:
- description: Host define the provider service hostname.
+ description: |-
+ Host define the provider service hostname.
+ Deprecated: Use BackendRef instead.
type: string
port:
default: 4317
- description: Port defines the port the provider service
- is exposed on.
+ description: |-
+ Port defines the port the provider service is exposed on.
+ Deprecated: Use BackendRef instead.
format: int32
minimum: 0
type: integer
type:
default: OpenTelemetry
- description: Type defines the tracing provider type. EG
- currently only supports OpenTelemetry.
+ description: |-
+ Type defines the tracing provider type.
+ EG currently only supports OpenTelemetry.
enum:
- OpenTelemetry
type: string
@@ -6961,12 +6386,16 @@ spec:
- host
- type
type: object
+ x-kubernetes-validations:
+ - message: BackendRef only support Service Kind.
+ rule: '!has(self.backendRef) || !has(self.backendRef.kind)
+ || self.backendRef.kind == ''Service'''
samplingRate:
default: 100
- description: SamplingRate controls the rate at which traffic
- will be selected for tracing if no prior sampling decision
- has been made. Defaults to 100, valid values [0-100]. 100
- indicates 100% sampling.
+ description: |-
+ SamplingRate controls the rate at which traffic will be
+ selected for tracing if no prior sampling decision has been made.
+ Defaults to 100, valid values [0-100]. 100 indicates 100% sampling.
format: int32
maximum: 100
minimum: 0
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 40d0f731550..bad8a8f3533 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.14.0
name: securitypolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -28,18 +28,24 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
- description: SecurityPolicy allows the user to configure various security
- settings for a Gateway.
+ description: |-
+ SecurityPolicy allows the user to configure various security settings for a
+ Gateway.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -51,21 +57,27 @@ spec:
Authentication.
properties:
users:
- description: "The Kubernetes secret which contains the username-password
- pairs in htpasswd format, used to verify user credentials in
- the \"Authorization\" header. \n This is an Opaque secret. The
- username-password pairs should be stored in the key \".htpasswd\".
- As the key name indicates, the value needs to be the htpasswd
- format, for example: \"user1:{SHA}hashed_user1_password\". Right
- now, only SHA hash algorithm is supported. Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
- for more details. \n Note: The secret must be in the same namespace
- as the SecurityPolicy."
+ description: |-
+ The Kubernetes secret which contains the username-password pairs in
+ htpasswd format, used to verify user credentials in the "Authorization"
+ header.
+
+
+ This is an Opaque secret. The username-password pairs should be stored in
+ the key ".htpasswd". As the key name indicates, the value needs to be the
+ htpasswd format, for example: "user1:{SHA}hashed_user1_password".
+ Right now, only SHA hash algorithm is supported.
+ Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
+ for more details.
+
+
+ Note: The secret must be in the same namespace as the SecurityPolicy.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty string,
- core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -82,13 +94,18 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the local namespace
- is specified, a ReferenceGrant object is required in the
- referent namespace to allow that namespace's owner to accept
- the reference. See the ReferenceGrant documentation for
- details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -104,9 +121,9 @@ spec:
Sharing (CORS).
properties:
allowCredentials:
- description: AllowCredentials indicates whether a request can
- include user credentials like cookies, authentication headers,
- or TLS client certificates.
+ description: |-
+ AllowCredentials indicates whether a request can include user credentials
+ like cookies, authentication headers, or TLS client certificates.
type: boolean
allowHeaders:
description: AllowHeaders defines the headers that are allowed
@@ -125,15 +142,21 @@ spec:
description: AllowOrigins defines the origins that are allowed
to make requests.
items:
- description: "Origin is defined by the scheme (protocol), hostname
- (domain), and port of the URL used to access it. The hostname
- can be \"precise\" which is just the domain name or \"wildcard\"
- which is a domain name prefixed with a single wildcard label
- such as \"*.example.com\". In addition to that a single wildcard
- (with or without scheme) can be configured to match any origin.
- \n For example, the following are valid origins: - https://foo.example.com
- - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080
- - https://*"
+ description: |-
+ Origin is defined by the scheme (protocol), hostname (domain), and port of
+ the URL used to access it. The hostname can be "precise" which is just the
+ domain name or "wildcard" which is a domain name prefixed with a single
+ wildcard label such as "*.example.com".
+ In addition to that a single wildcard (with or without scheme) can be
+ configured to match any origin.
+
+
+ For example, the following are valid origins:
+ - https://foo.example.com
+ - https://*.example.com
+ - http://foo.example.com:8080
+ - http://*.example.com:8080
+ - https://*
maxLength: 253
minLength: 1
pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$
@@ -156,47 +179,54 @@ spec:
properties:
failOpen:
default: false
- description: FailOpen is a switch used to control the behavior
- when a response from the External Authorization service cannot
- be obtained. If FailOpen is set to true, the system allows the
- traffic to pass through. Otherwise, if it is set to false or
- not set (defaulting to false), the system blocks the traffic
- and returns a HTTP 5xx error, reflecting a fail-closed approach.
- This setting determines whether to prioritize accessibility
- over strict security in case of authorization service failure.
+ description: |-
+ FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
+ If FailOpen is set to true, the system allows the traffic to pass through.
+ Otherwise, if it is set to false or not set (defaulting to false),
+ the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
+ This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
type: boolean
grpc:
- description: GRPC defines the gRPC External Authorization service.
- Either GRPCService or HTTPService must be specified, and only
- one of them can be provided.
+ description: |-
+ GRPC defines the gRPC External Authorization service.
+ Either GRPCService or HTTPService must be specified,
+ and only one of them can be provided.
properties:
backendRef:
- description: BackendRef references a Kubernetes object that
- represents the backend server to which the authorization
- request will be sent. Only service Kind is supported for
- now.
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ Only service Kind is supported for now.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -207,24 +237,29 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -240,53 +275,61 @@ spec:
- backendRef
type: object
headersToExtAuth:
- description: 'HeadersToExtAuth defines the client request headers
- that will be included in the request to the external authorization
- service. Note: If not specified, the default behavior for gRPC
- and HTTP external authorization services is different due to
- backward compatibility reasons. All headers will be included
- in the check request to a gRPC authorization server. Only the
- following headers will be included in the check request to an
- HTTP authorization server: Host, Method, Path, Content-Length,
- and Authorization. And these headers will always be included
- to the check request to an HTTP authorization server by default,
- no matter whether they are specified in HeadersToExtAuth or
- not.'
+ description: |-
+ HeadersToExtAuth defines the client request headers that will be included
+ in the request to the external authorization service.
+ Note: If not specified, the default behavior for gRPC and HTTP external
+ authorization services is different due to backward compatibility reasons.
+ All headers will be included in the check request to a gRPC authorization server.
+ Only the following headers will be included in the check request to an HTTP
+ authorization server: Host, Method, Path, Content-Length, and Authorization.
+ And these headers will always be included to the check request to an HTTP
+ authorization server by default, no matter whether they are specified
+ in HeadersToExtAuth or not.
items:
type: string
type: array
http:
- description: HTTP defines the HTTP External Authorization service.
- Either GRPCService or HTTPService must be specified, and only
- one of them can be provided.
+ description: |-
+ HTTP defines the HTTP External Authorization service.
+ Either GRPCService or HTTPService must be specified,
+ and only one of them can be provided.
properties:
backendRef:
- description: BackendRef references a Kubernetes object that
- represents the backend server to which the authorization
- request will be sent. Only service Kind is supported for
- now.
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ Only service Kind is supported for now.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+
+ Defaults to "Service" when not specified.
+
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+
+ Support: Core (Services with a type other than ExternalName)
+
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -297,24 +340,29 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -327,19 +375,20 @@ spec:
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
headersToBackend:
- description: HeadersToBackend are the authorization response
- headers that will be added to the original client request
- before sending it to the backend server. Note that coexisting
- headers will be overridden. If not specified, no authorization
- response headers will be added to the original client request.
+ description: |-
+ HeadersToBackend are the authorization response headers that will be added
+ to the original client request before sending it to the backend server.
+ Note that coexisting headers will be overridden.
+ If not specified, no authorization response headers will be added to the
+ original client request.
items:
type: string
type: array
path:
- description: Path is the path of the HTTP External Authorization
- service. If path is specified, the authorization request
- will be sent to that path, or else the authorization request
- will be sent to the root path.
+ description: |-
+ Path is the path of the HTTP External Authorization service.
+ If path is specified, the authorization request will be sent to that path,
+ or else the authorization request will be sent to the root path.
type: string
required:
- backendRef
@@ -374,37 +423,38 @@ spec:
authentication.
properties:
providers:
- description: Providers defines the JSON Web Token (JWT) authentication
- provider type. When multiple JWT providers are specified, the
- JWT is considered valid if any of the providers successfully
- validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
+ description: |-
+ Providers defines the JSON Web Token (JWT) authentication provider type.
+ When multiple JWT providers are specified, the JWT is considered valid if
+ any of the providers successfully validate the JWT. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
items:
description: JWTProvider defines how a JSON Web Token (JWT)
can be verified.
properties:
audiences:
- description: Audiences is a list of JWT audiences allowed
- access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3.
- If not provided, JWT audiences are not checked.
+ description: |-
+ Audiences is a list of JWT audiences allowed access. For additional details, see
+ https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
+ are not checked.
items:
type: string
maxItems: 8
type: array
claimToHeaders:
- description: 'ClaimToHeaders is a list of JWT claims that
- must be extracted into HTTP request headers For examples,
- following config: The claim must be of type; string, int,
- double, bool. Array type claims are not supported'
+ description: |-
+ ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
+ For examples, following config:
+ The claim must be of type; string, int, double, bool. Array type claims are not supported
items:
description: ClaimToHeader defines a configuration to
convert JWT claims into HTTP headers
properties:
claim:
- description: 'Claim is the JWT Claim that should be
- saved into the header : it can be a nested claim
- of type (eg. "claim.nested.key", "sub"). The nested
- claim name must use dot "." to separate the JSON
- name path.'
+ description: |-
+ Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
+ (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
+ to separate the JSON name path.
type: string
header:
description: Header defines the name of the HTTP request
@@ -416,11 +466,10 @@ spec:
type: object
type: array
extractFrom:
- description: ExtractFrom defines different ways to extract
- the JWT token from HTTP request. If empty, it defaults
- to extract JWT token from the Authorization HTTP request
- header using Bearer schema or access_token from query
- parameters.
+ description: |-
+ ExtractFrom defines different ways to extract the JWT token from HTTP request.
+ If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
+ or access_token from query parameters.
properties:
cookies:
description: Cookies represents a list of cookie names
@@ -440,12 +489,10 @@ spec:
the token
type: string
valuePrefix:
- description: 'ValuePrefix is the prefix that should
- be stripped before extracting the token. The
- format would be used by Envoy like "{ValuePrefix}".
- For example, "Authorization: Bearer ",
- then the ValuePrefix="Bearer " with a space
- at the end.'
+ description: |-
+ ValuePrefix is the prefix that should be stripped before extracting the token.
+ The format would be used by Envoy like "{ValuePrefix}".
+ For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end.
type: string
required:
- name
@@ -459,36 +506,36 @@ spec:
type: array
type: object
issuer:
- description: Issuer is the principal that issued the JWT
- and takes the form of a URL or email address. For additional
- details, see https://tools.ietf.org/html/rfc7519#section-4.1.1
- for URL format and https://rfc-editor.org/rfc/rfc5322.html
- for email format. If not provided, the JWT issuer is not
- checked.
+ description: |-
+ Issuer is the principal that issued the JWT and takes the form of a URL or email address.
+ For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
+ URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
+ the JWT issuer is not checked.
maxLength: 253
type: string
name:
- description: Name defines a unique name for the JWT provider.
- A name can have a variety of forms, including RFC1123
- subdomains, RFC 1123 labels, or RFC 1035 labels.
+ description: |-
+ Name defines a unique name for the JWT provider. A name can have a variety of forms,
+ including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
maxLength: 253
minLength: 1
type: string
recomputeRoute:
- description: RecomputeRoute clears the route cache and recalculates
- the routing decision. This field must be enabled if the
- headers generated from the claim are used for route matching
- decisions. If the recomputation selects a new route, features
- targeting the new matched route will be applied.
+ description: |-
+ RecomputeRoute clears the route cache and recalculates the routing decision.
+ This field must be enabled if the headers generated from the claim are used for
+ route matching decisions. If the recomputation selects a new route, features targeting
+ the new matched route will be applied.
type: boolean
remoteJWKS:
- description: RemoteJWKS defines how to fetch and cache JSON
- Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
+ description: |-
+ RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
+ HTTP/HTTPS endpoint.
properties:
uri:
- description: URI is the HTTPS URI to fetch the JWKS.
- Envoy's system trust bundle is used to validate the
- server certificate.
+ description: |-
+ URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
+ validate the server certificate.
maxLength: 253
minLength: 1
type: string
@@ -515,21 +562,25 @@ spec:
(OIDC) authentication.
properties:
clientID:
- description: The client ID to be used in the OIDC [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ description: |-
+ The client ID to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
minLength: 1
type: string
clientSecret:
- description: "The Kubernetes secret which contains the OIDC client
- secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
- \n This is an Opaque secret. The client secret should be stored
- in the key \"client-secret\"."
+ description: |-
+ The Kubernetes secret which contains the OIDC client secret to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+
+ This is an Opaque secret. The client secret should be stored in the key
+ "client-secret".
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty string,
- core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -546,13 +597,18 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the local namespace
- is specified, a ReferenceGrant object is required in the
- referent namespace to allow that namespace's owner to accept
- the reference. See the ReferenceGrant documentation for
- details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -561,48 +617,53 @@ spec:
- name
type: object
logoutPath:
- description: The path to log a user out, clearing their credential
- cookies. If not specified, uses a default logout path "/logout"
+ description: |-
+ The path to log a user out, clearing their credential cookies.
+ If not specified, uses a default logout path "/logout"
type: string
provider:
description: The OIDC Provider configuration.
properties:
authorizationEndpoint:
- description: The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
- If not provided, EG will try to discover it from the provider's
- [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ description: |-
+ The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
type: string
issuer:
- description: The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
- Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component
- that MUST be https, a host component, and optionally, port
- and path components and no query or fragment components.
+ description: |-
+ The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+ Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
+ be https, a host component, and optionally, port and path components and
+ no query or fragment components.
minLength: 1
type: string
tokenEndpoint:
- description: The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
- If not provided, EG will try to discover it from the provider's
- [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ description: |-
+ The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
type: string
required:
- issuer
type: object
redirectURL:
- description: The redirect URL to be used in the OIDC [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ description: |-
+ The redirect URL to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
type: string
resources:
- description: The OIDC resources to be used in the [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ description: |-
+ The OIDC resources to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
items:
type: string
type: array
scopes:
- description: The OIDC scopes to be used in the [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
- The "openid" scope is always added to the list of scopes if
- not already specified.
+ description: |-
+ The OIDC scopes to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ The "openid" scope is always added to the list of scopes if not already
+ specified.
items:
type: string
type: array
@@ -612,10 +673,11 @@ spec:
- provider
type: object
targetRef:
- description: TargetRef is the name of the Gateway resource this policy
- is being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway.
+ description: |-
+ TargetRef is the name of the Gateway resource this policy
+ is being attached to.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway.
properties:
group:
description: Group is the group of the target resource.
@@ -634,23 +696,29 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, the local
+ namespace is inferred. Even when policy targets a resource in a different
+ namespace, it MUST only apply to traffic originating from the same
+ namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name
+ * Service: Port Name
+
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -674,169 +742,233 @@ spec:
description: Status defines the current status of SecurityPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, experimental, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+
+
+
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services as Parents
+ is part of experimental Mesh support and is not supported for any other
+ purpose.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -849,46 +981,45 @@ spec:
respect to the given Ancestor.
items:
description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
+ the current state of this API Resource.\n---\nThis struct
is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -902,12 +1033,12 @@ spec:
- Unknown
type: string
type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -925,16 +1056,23 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl
index 104f5f0f014..4cf4082a4c2 100644
--- a/charts/gateway-helm/templates/_rbac.tpl
+++ b/charts/gateway-helm/templates/_rbac.tpl
@@ -69,6 +69,7 @@ resources:
- clienttrafficpolicies
- backendtrafficpolicies
- securitypolicies
+- envoyextensionpolicies
verbs:
- get
- list
@@ -83,6 +84,7 @@ resources:
- clienttrafficpolicies/status
- backendtrafficpolicies/status
- securitypolicies/status
+- envoyextensionpolicies/status
verbs:
- update
{{- end }}
diff --git a/charts/gateway-helm/templates/infra-manager-rbac.yaml b/charts/gateway-helm/templates/infra-manager-rbac.yaml
index 3929524f484..ad8aa5e5b0b 100644
--- a/charts/gateway-helm/templates/infra-manager-rbac.yaml
+++ b/charts/gateway-helm/templates/infra-manager-rbac.yaml
@@ -14,8 +14,8 @@ rules:
verbs:
- create
- get
- - update
- delete
+ - patch
- apiGroups:
- apps
resources:
@@ -23,8 +23,8 @@ rules:
verbs:
- create
- get
- - update
- delete
+ - patch
- apiGroups:
- autoscaling
resources:
@@ -32,8 +32,8 @@ rules:
verbs:
- create
- get
- - update
- delete
+ - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
diff --git a/examples/kubernetes/accesslog/json-accesslog.yaml b/examples/kubernetes/accesslog/json-accesslog.yaml
index bd50fb75c68..b69ce861b1b 100644
--- a/examples/kubernetes/accesslog/json-accesslog.yaml
+++ b/examples/kubernetes/accesslog/json-accesslog.yaml
@@ -20,11 +20,11 @@ spec:
accessLog:
settings:
- format:
- type: JSON
- json:
- status: "%RESPONSE_CODE%"
- message: "%LOCAL_REPLY_BODY%"
- sinks:
- - type: File
- file:
- path: /dev/stdout
+ type: JSON
+ json:
+ status: "%RESPONSE_CODE%"
+ message: "%LOCAL_REPLY_BODY%"
+ sinks:
+ - type: File
+ file:
+ path: /dev/stdout
diff --git a/go.mod b/go.mod
index 8ab64c47fb4..b9f4885e373 100644
--- a/go.mod
+++ b/go.mod
@@ -1,15 +1,17 @@
module github.com/envoyproxy/gateway
-go 1.21
+go 1.22
require (
fortio.org/fortio v1.63.5
fortio.org/log v1.12.1
+ github.com/Masterminds/semver/v3 v3.2.1
github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa
github.com/davecgh/go-spew v1.1.1
github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8
github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7
github.com/evanphx/json-patch/v5 v5.9.0
+ github.com/fatih/color v1.15.0
github.com/go-logfmt/logfmt v0.6.0
github.com/go-logr/logr v1.4.1
github.com/go-logr/zapr v1.3.0
@@ -29,6 +31,7 @@ require (
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.24.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0
go.opentelemetry.io/otel/exporters/prometheus v0.46.0
+ go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.24.0
go.opentelemetry.io/otel/metric v1.24.0
go.opentelemetry.io/otel/sdk/metric v1.24.0
go.opentelemetry.io/proto/otlp v1.1.0
@@ -60,7 +63,6 @@ require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
github.com/BurntSushi/toml v1.3.2 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
- github.com/Masterminds/semver/v3 v3.2.1 // indirect
github.com/Masterminds/sprig/v3 v3.2.3 // indirect
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/hcsshim v0.11.4 // indirect
@@ -75,7 +77,6 @@ require (
github.com/docker/go-connections v0.4.0 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/go-units v0.5.0 // indirect
- github.com/fatih/color v1.15.0 // indirect
github.com/felixge/httpsnoop v1.0.3 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
@@ -165,7 +166,7 @@ require (
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/tsaarni/x500dn v1.0.0 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
- go.opentelemetry.io/otel/sdk v1.24.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.24.0
go.opentelemetry.io/otel/trace v1.24.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
diff --git a/go.sum b/go.sum
index 3b2e77bcffd..0ab717c77bd 100644
--- a/go.sum
+++ b/go.sum
@@ -693,6 +693,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0 h1:mM8
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0/go.mod h1:0PrIIzDteLSmNyxqcGYRL4mDIo8OTuBAOI/Bn1URxac=
go.opentelemetry.io/otel/exporters/prometheus v0.46.0 h1:I8WIFXR351FoLJYuloU4EgXbtNX2URfU/85pUPheIEQ=
go.opentelemetry.io/otel/exporters/prometheus v0.46.0/go.mod h1:ztwVUHe5DTR/1v7PeuGRnU5Bbd4QKYwApWmuutKsJSs=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.24.0 h1:JYE2HM7pZbOt5Jhk8ndWZTUWYOVift2cHjXVMkPdmdc=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.24.0/go.mod h1:yMb/8c6hVsnma0RpsBMNo0fEiQKeclawtgaIaOp2MLY=
go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
diff --git a/internal/cmd/egctl/experimental.go b/internal/cmd/egctl/experimental.go
index ad307cc7cb3..420dc3de526 100644
--- a/internal/cmd/egctl/experimental.go
+++ b/internal/cmd/egctl/experimental.go
@@ -26,6 +26,8 @@ func newExperimentalCommand() *cobra.Command {
experimentalCommand.AddCommand(newStatsCommand())
experimentalCommand.AddCommand(newStatusCommand())
experimentalCommand.AddCommand(newDashboardCommand())
+ experimentalCommand.AddCommand(newInstallCommand())
+ experimentalCommand.AddCommand(newUnInstallCommand())
return experimentalCommand
}
diff --git a/internal/cmd/egctl/install.go b/internal/cmd/egctl/install.go
new file mode 100644
index 00000000000..640dfca0bd0
--- /dev/null
+++ b/internal/cmd/egctl/install.go
@@ -0,0 +1,56 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package egctl
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/envoyproxy/gateway/internal/cmd/options"
+ "github.com/envoyproxy/gateway/internal/utils/helm"
+)
+
+func newInstallCommand() *cobra.Command {
+
+ packageFlags := &helm.PackageOptions{}
+ pt := helm.NewPackageTool()
+
+ installCmd := &cobra.Command{
+ Use: "install",
+ Short: "install envoy gateway",
+ Long: installDescription(),
+ Example: ` # Installed by default, this will install CRDs resources as well as envoy gateway instance resources
+ egctl x install
+
+ # Install envoy gateway instance resources only, skip installing CRDs
+ egctl x install --skip-crds
+
+ # Specify the envoy gateway version and enable debug logging
+ egctl x install --version v0.6.0 --debug
+
+ # Override the default values of the envoy gateway chart and install CRDs only
+ egctl x install --set config.envoyGateway.logging.level.default=info --only-crds
+`,
+ PreRunE: func(_ *cobra.Command, _ []string) error {
+ return pt.Setup()
+ },
+ RunE: func(_ *cobra.Command, _ []string) error {
+ return pt.RunInstall(packageFlags)
+ },
+ }
+ options.AddKubeConfigFlags(installCmd.Flags())
+ pt.SetInstallEnvSettings(installCmd, packageFlags)
+ pt.SetPreRun(installCmd)
+
+ return installCmd
+}
+
+func installDescription() string {
+ return `
+This command installs envoy gateway, which uses the Helm library.
+Will use oci://docker.io/envoyproxy/gateway-helm repo chart, default to the latest version, it is recommended to use a fixed.
+The installation process uses a two-stage installation step: install CRDs first, and then install instance resources, which always ensures that CRDs resources are installed correctly.
+`
+}
diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
index 378f949644a..ffd2abb31b7 100644
--- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
@@ -130,6 +130,13 @@ envoyProxy:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
logging: {}
status: {}
gatewayClass:
@@ -508,6 +515,13 @@ xds:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
+ overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
index cc0ba1f1d65..1f1b83da3dd 100644
--- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
+++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
@@ -56,6 +56,18 @@
}
]
},
+ "overloadManager": {
+ "refreshInterval": "0.250s",
+ "resourceMonitors": [
+ {
+ "name": "envoy.resource_monitors.global_downstream_max_connections",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+ "maxActiveDownstreamConnections": "50000"
+ }
+ }
+ ]
+ },
"staticResources": {
"clusters": [
{
diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
index 10d3d74192f..7e672876739 100644
--- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
@@ -34,6 +34,13 @@ xds:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
+ overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml
index 33562f700f5..61174308058 100644
--- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml
@@ -33,6 +33,13 @@ xds:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
+ overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
index f363a4e0f07..5f9cfd64a09 100644
--- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
+++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
@@ -56,6 +56,18 @@
}
]
},
+ "overloadManager": {
+ "refreshInterval": "0.250s",
+ "resourceMonitors": [
+ {
+ "name": "envoy.resource_monitors.global_downstream_max_connections",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+ "maxActiveDownstreamConnections": "50000"
+ }
+ }
+ ]
+ },
"staticResources": {
"clusters": [
{
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
index dd1a46b95fa..1d981d7b33f 100644
--- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
@@ -34,6 +34,13 @@ xds:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
+ overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml
index 1d64ba4ebfb..98710133fc5 100644
--- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml
@@ -33,6 +33,13 @@ xds:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
+ overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/cmd/egctl/uninstall.go b/internal/cmd/egctl/uninstall.go
new file mode 100644
index 00000000000..769222fe271
--- /dev/null
+++ b/internal/cmd/egctl/uninstall.go
@@ -0,0 +1,53 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package egctl
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/envoyproxy/gateway/internal/cmd/options"
+ "github.com/envoyproxy/gateway/internal/utils/helm"
+)
+
+func newUnInstallCommand() *cobra.Command {
+
+ packageFlags := &helm.PackageOptions{}
+ pt := helm.NewPackageTool()
+
+ uninstallCmd := &cobra.Command{
+ Use: "uninstall",
+ Short: "uninstall envoy gateway",
+ Long: uninstallDescription(),
+ Example: ` # Uninstall envoy gateway by default, this only offloads envoy gateway instance resources
+ egctl x uninstall
+
+ # uninstall all envoy gateway resources, this includes CRDs
+ egctl x uninstall --with-crds
+
+ # Uninstall the envoy gateway with the specified release-name
+ egctl x uninstall --release-name eg
+`,
+ PreRunE: func(_ *cobra.Command, _ []string) error {
+ return pt.Setup()
+ },
+ RunE: func(_ *cobra.Command, _ []string) error {
+ return pt.RunUninstall(packageFlags)
+ },
+ }
+ options.AddKubeConfigFlags(uninstallCmd.Flags())
+ pt.SetUninstallEnvSetting(uninstallCmd, packageFlags)
+ pt.SetPreRun(uninstallCmd)
+
+ return uninstallCmd
+}
+
+func uninstallDescription() string {
+ return `
+This command uninstalls envoy gateway.
+Since egctl install uses a multi-stage installation, the default uninstall will only uninstall envoy gateway instance resources and not CRDs.
+We can specify '--with-crds' to also unload CRDs.
+`
+}
diff --git a/internal/cmd/envoy/shutdown_manager.go b/internal/cmd/envoy/shutdown_manager.go
index 0f9ee77d814..5f517365c74 100644
--- a/internal/cmd/envoy/shutdown_manager.go
+++ b/internal/cmd/envoy/shutdown_manager.go
@@ -108,7 +108,7 @@ func shutdownReadyHandler(w http.ResponseWriter, readyTimeout time.Duration, rea
time.Sleep(1 * time.Second)
case err != nil:
logger.Error(err, "error checking for shutdown readiness")
- case err == nil:
+ default:
logger.Info("shutdown readiness detected")
return
}
diff --git a/internal/envoygateway/config/config.go b/internal/envoygateway/config/config.go
index 4c9674a88b4..3afe0425f6c 100644
--- a/internal/envoygateway/config/config.go
+++ b/internal/envoygateway/config/config.go
@@ -36,6 +36,8 @@ type Server struct {
DNSDomain string
// Logger is the logr implementation used by Envoy Gateway.
Logger logging.Logger
+ // Elected chan is used to signal what a leader is elected
+ Elected chan struct{}
}
// New returns a Server with default parameters.
@@ -45,7 +47,8 @@ func New() (*Server, error) {
Namespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
DNSDomain: env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
// the default logger
- Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo),
+ Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo),
+ Elected: make(chan struct{}),
}, nil
}
diff --git a/internal/envoygateway/config/decoder_test.go b/internal/envoygateway/config/decoder_test.go
index eb2f24855db..d8c8e36a230 100644
--- a/internal/envoygateway/config/decoder_test.go
+++ b/internal/envoygateway/config/decoder_test.go
@@ -322,6 +322,30 @@ func TestDecode(t *testing.T) {
in: inPath + "invalid-gateway-version.yaml",
expect: false,
},
+ {
+ in: inPath + "gateway-leaderelection.yaml",
+ out: &v1alpha1.EnvoyGateway{
+ TypeMeta: metav1.TypeMeta{
+ Kind: v1alpha1.KindEnvoyGateway,
+ APIVersion: v1alpha1.GroupVersion.String(),
+ },
+ EnvoyGatewaySpec: v1alpha1.EnvoyGatewaySpec{
+ Gateway: v1alpha1.DefaultGateway(),
+ Provider: &v1alpha1.EnvoyGatewayProvider{
+ Type: v1alpha1.ProviderTypeKubernetes,
+ Kubernetes: &v1alpha1.EnvoyGatewayKubernetesProvider{
+ LeaderElection: &v1alpha1.LeaderElection{
+ Disable: ptr.To(true),
+ LeaseDuration: ptr.To(gwapiv1.Duration("1s")),
+ RenewDeadline: ptr.To(gwapiv1.Duration("2s")),
+ RetryPeriod: ptr.To(gwapiv1.Duration("3s")),
+ },
+ },
+ },
+ },
+ },
+ expect: true,
+ },
}
for _, tc := range testCases {
diff --git a/internal/envoygateway/config/testdata/decoder/in/gateway-global-ratelimit.yaml b/internal/envoygateway/config/testdata/decoder/in/gateway-global-ratelimit.yaml
index 90feadd0491..496ff0a2152 100644
--- a/internal/envoygateway/config/testdata/decoder/in/gateway-global-ratelimit.yaml
+++ b/internal/envoygateway/config/testdata/decoder/in/gateway-global-ratelimit.yaml
@@ -4,6 +4,12 @@ gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
provider:
type: Kubernetes
+ kubernetes:
+ leaderElection:
+ leaseDuration: 15s
+ renewDeadline: 10s
+ retryPeriod: 2s
+ disable: false
rateLimit:
timeout: 10ms
failClosed: true
diff --git a/internal/envoygateway/config/testdata/decoder/in/gateway-leaderelection.yaml b/internal/envoygateway/config/testdata/decoder/in/gateway-leaderelection.yaml
new file mode 100644
index 00000000000..45b65f0fcfd
--- /dev/null
+++ b/internal/envoygateway/config/testdata/decoder/in/gateway-leaderelection.yaml
@@ -0,0 +1,13 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyGateway
+gateway:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+provider:
+ type: Kubernetes
+ kubernetes:
+ leaderElection:
+ disable: true
+ leaseDuration: "1s"
+ renewDeadline: "2s"
+ retryPeriod: "3s"
+ disabled: false
diff --git a/internal/envoygateway/config/testdata/decoder/in/kube-provider.yaml b/internal/envoygateway/config/testdata/decoder/in/kube-provider.yaml
index 5b57b025643..f59abe95025 100644
--- a/internal/envoygateway/config/testdata/decoder/in/kube-provider.yaml
+++ b/internal/envoygateway/config/testdata/decoder/in/kube-provider.yaml
@@ -2,3 +2,9 @@ apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
provider:
type: Kubernetes
+ kubernetes:
+ leaderElection:
+ leaseDuration: 15s
+ renewDeadline: 10s
+ retryPeriod: 2s
+ disable: false
diff --git a/internal/envoygateway/config/testdata/decoder/in/provider-mixing-gateway.yaml b/internal/envoygateway/config/testdata/decoder/in/provider-mixing-gateway.yaml
index d5b7a239d87..339ed976c48 100644
--- a/internal/envoygateway/config/testdata/decoder/in/provider-mixing-gateway.yaml
+++ b/internal/envoygateway/config/testdata/decoder/in/provider-mixing-gateway.yaml
@@ -2,5 +2,11 @@ apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
provider:
type: Kubernetes
+ kubernetes:
+ leaderElection:
+ leaseDuration: 15s
+ renewDeadline: 10s
+ retryPeriod: 2s
+ disable: false
gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
diff --git a/internal/envoygateway/config/testdata/decoder/in/provider-with-gateway.yaml b/internal/envoygateway/config/testdata/decoder/in/provider-with-gateway.yaml
index f16039a315e..12492974cba 100644
--- a/internal/envoygateway/config/testdata/decoder/in/provider-with-gateway.yaml
+++ b/internal/envoygateway/config/testdata/decoder/in/provider-with-gateway.yaml
@@ -2,5 +2,11 @@ apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
provider:
type: Kubernetes
+ kubernetes:
+ leaderElection:
+ leaseDuration: 15s
+ renewDeadline: 10s
+ retryPeriod: 2s
+ disable: false
gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go
index d7595cb1b4c..5748caee206 100644
--- a/internal/gatewayapi/backendtrafficpolicy.go
+++ b/internal/gatewayapi/backendtrafficpolicy.go
@@ -375,6 +375,8 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen
r.LoadBalancer = lb
r.ProxyProtocol = pp
r.HealthCheck = hc
+ // Update the Host field in HealthCheck, now that we have access to the Route Hostname.
+ r.HealthCheck.SetHTTPHostIfAbsent(r.Hostname)
r.CircuitBreaker = cb
r.FaultInjection = fi
r.TCPKeepalive = ka
@@ -532,7 +534,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
}
if r.HealthCheck == nil {
r.HealthCheck = hc
+ // Update the Host field in HealthCheck, now that we have access to the Route Hostname.
+ r.HealthCheck.SetHTTPHostIfAbsent(r.Hostname)
}
+
if r.CircuitBreaker == nil {
r.CircuitBreaker = cb
}
diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go
index 562bdcde1d3..8aa416270f3 100644
--- a/internal/gatewayapi/clienttrafficpolicy.go
+++ b/internal/gatewayapi/clienttrafficpolicy.go
@@ -8,6 +8,7 @@ package gatewayapi
import (
"errors"
"fmt"
+ "math"
"sort"
"strings"
"time"
@@ -124,7 +125,7 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources,
// It must exist since we've already finished processing the gateways
gwXdsIR := xdsIR[irKey]
if string(l.Name) == section {
- err = validatePortOverlapForClientTrafficPolicy(l, gwXdsIR)
+ err = validatePortOverlapForClientTrafficPolicy(l, gwXdsIR, false)
if err == nil {
err = t.translateClientTrafficPolicyForListener(policy, l, xdsIR, infraIR, resources)
}
@@ -234,7 +235,7 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources,
irKey := t.getIRKey(l.gateway)
// It must exist since we've already finished processing the gateways
gwXdsIR := xdsIR[irKey]
- if err := validatePortOverlapForClientTrafficPolicy(l, gwXdsIR); err != nil {
+ if err := validatePortOverlapForClientTrafficPolicy(l, gwXdsIR, true); err != nil {
errs = errors.Join(errs, err)
} else if err := t.translateClientTrafficPolicyForListener(policy, l, xdsIR, infraIR, resources); err != nil {
errs = errors.Join(errs, err)
@@ -312,7 +313,7 @@ func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways map[t
return gateway.GatewayContext, nil
}
-func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds) error {
+func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds, attachedToGateway bool) error {
// Find Listener IR
// TODO: Support TLSRoute and TCPRoute once
// https://github.com/envoyproxy/gateway/issues/1635 is completed
@@ -328,8 +329,29 @@ func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds)
// IR must exist since we're past validation
if httpIR != nil {
+ // Get a list of all other non-TLS listeners on this Gateway that share a port with
+ // the listener in question.
if sameListeners := listenersWithSameHTTPPort(xds, httpIR); len(sameListeners) != 0 {
- return fmt.Errorf("affects additional listeners: %s", strings.Join(sameListeners, ", "))
+ if attachedToGateway {
+ // If this policy is attached to an entire gateway and the mergeGateways feature
+ // is turned on, validate that all the listeners affected by this policy originated
+ // from the same Gateway resource. The name of the Gateway from which this listener
+ // originated is part of the listener's name by construction.
+ gatewayName := irListenerName[0:strings.LastIndex(irListenerName, "/")]
+ conflictingListeners := []string{}
+ for _, currName := range sameListeners {
+ if strings.Index(currName, gatewayName) != 0 {
+ conflictingListeners = append(conflictingListeners, currName)
+ }
+ }
+ if len(conflictingListeners) != 0 {
+ return fmt.Errorf("ClientTrafficPolicy is being applied to multiple http (non https) listeners (%s) on the same port, which is not allowed", strings.Join(conflictingListeners, ", "))
+ }
+ } else {
+ // If this policy is attached to a specific listener, any other listeners in the list
+ // would be affected by this policy but should not be, so this policy can't be accepted.
+ return fmt.Errorf("ClientTrafficPolicy is being applied to multiple http (non https) listeners (%s) on the same port, which is not allowed", strings.Join(sameListeners, ", "))
+ }
}
}
return nil
@@ -461,27 +483,34 @@ func translateClientTimeout(clientTimeout *egv1a1.ClientTimeout, httpIR *ir.HTTP
return nil
}
+ irClientTimeout := &ir.ClientTimeout{}
+
if clientTimeout.HTTP != nil {
+ irHTTPTimeout := &ir.HTTPClientTimeout{}
if clientTimeout.HTTP.RequestReceivedTimeout != nil {
d, err := time.ParseDuration(string(*clientTimeout.HTTP.RequestReceivedTimeout))
if err != nil {
return err
}
- switch {
- case httpIR.Timeout == nil:
- httpIR.Timeout = &ir.ClientTimeout{}
- fallthrough
-
- case httpIR.Timeout.HTTP == nil:
- httpIR.Timeout.HTTP = &ir.HTTPClientTimeout{}
+ irHTTPTimeout.RequestReceivedTimeout = &metav1.Duration{
+ Duration: d,
}
+ }
- httpIR.Timeout.HTTP.RequestReceivedTimeout = &metav1.Duration{
+ if clientTimeout.HTTP.IdleTimeout != nil {
+ d, err := time.ParseDuration(string(*clientTimeout.HTTP.IdleTimeout))
+ if err != nil {
+ return err
+ }
+ irHTTPTimeout.IdleTimeout = &metav1.Duration{
Duration: d,
}
}
+ irClientTimeout.HTTP = irHTTPTimeout
}
+ httpIR.Timeout = irClientTimeout
+
return nil
}
@@ -510,7 +539,8 @@ func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, http
return
}
httpIR.Headers = &ir.HeaderSettings{
- EnableEnvoyHeaders: ptr.Deref(headerSettings.EnableEnvoyHeaders, false),
+ EnableEnvoyHeaders: ptr.Deref(headerSettings.EnableEnvoyHeaders, false),
+ WithUnderscoresAction: ir.WithUnderscoresAction(ptr.Deref(headerSettings.WithUnderscoresAction, egv1a1.WithUnderscoresActionRejectRequest)),
}
}
@@ -671,7 +701,18 @@ func translateListenerConnection(connection *egv1a1.Connection, httpIR *ir.HTTPL
irConnectionLimit.CloseDelay = ptr.To(metav1.Duration{Duration: d})
}
- irConnection.Limit = irConnectionLimit
+ irConnection.ConnectionLimit = irConnectionLimit
+ }
+
+ if connection.BufferLimit != nil {
+ bufferLimit, ok := connection.BufferLimit.AsInt64()
+ if !ok {
+ return fmt.Errorf("invalid BufferLimit value %s", connection.BufferLimit.String())
+ }
+ if bufferLimit < 0 || bufferLimit > math.MaxUint32 {
+ return fmt.Errorf("BufferLimit value %s is out of range", connection.BufferLimit.String())
+ }
+ irConnection.BufferLimitBytes = ptr.To(uint32(bufferLimit))
}
httpIR.Connection = irConnection
diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
new file mode 100644
index 00000000000..ca843d4d7a9
--- /dev/null
+++ b/internal/gatewayapi/envoyextensionpolicy.go
@@ -0,0 +1,430 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package gatewayapi
+
+import (
+ "fmt"
+ "sort"
+ "strings"
+
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
+ "k8s.io/utils/ptr"
+
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+ gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+ gwv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+ "github.com/envoyproxy/gateway/internal/ir"
+ "github.com/envoyproxy/gateway/internal/status"
+ "github.com/envoyproxy/gateway/internal/utils"
+)
+
+func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy,
+ gateways []*GatewayContext,
+ routes []RouteContext,
+ resources *Resources,
+ xdsIR XdsIRMap) []*egv1a1.EnvoyExtensionPolicy {
+ var res []*egv1a1.EnvoyExtensionPolicy
+
+ // Sort based on timestamp
+ sort.Slice(envoyExtensionPolicies, func(i, j int) bool {
+ return envoyExtensionPolicies[i].CreationTimestamp.Before(&(envoyExtensionPolicies[j].CreationTimestamp))
+ })
+
+ // First build a map out of the routes and gateways for faster lookup since users might have thousands of routes or more.
+ routeMap := map[policyTargetRouteKey]*policyRouteTargetContext{}
+ for _, route := range routes {
+ key := policyTargetRouteKey{
+ Kind: string(GetRouteType(route)),
+ Name: route.GetName(),
+ Namespace: route.GetNamespace(),
+ }
+ routeMap[key] = &policyRouteTargetContext{RouteContext: route}
+ }
+
+ gatewayMap := map[types.NamespacedName]*policyGatewayTargetContext{}
+ for _, gw := range gateways {
+ key := utils.NamespacedName(gw)
+ gatewayMap[key] = &policyGatewayTargetContext{GatewayContext: gw}
+ }
+
+ // Map of Gateway to the routes attached to it
+ gatewayRouteMap := make(map[string]sets.Set[string])
+
+ // Translate
+ // 1. First translate Policies targeting xRoutes
+ // 2. Finally, the policies targeting Gateways
+
+ // Process the policies targeting xRoutes
+ for _, policy := range envoyExtensionPolicies {
+ if policy.Spec.TargetRef.Kind != KindGateway {
+ policy := policy.DeepCopy()
+ res = append(res, policy)
+
+ // Negative statuses have already been assigned so its safe to skip
+ route, resolveErr := resolveEEPolicyRouteTargetRef(policy, routeMap)
+ if route == nil {
+ continue
+ }
+
+ // Find the Gateway that the route belongs to and add it to the
+ // gatewayRouteMap and ancestor list, which will be used to check
+ // policy overrides and populate its ancestor status.
+ parentRefs := GetParentReferences(route)
+ ancestorRefs := make([]gwv1a2.ParentReference, 0, len(parentRefs))
+ for _, p := range parentRefs {
+ if p.Kind == nil || *p.Kind == KindGateway {
+ namespace := route.GetNamespace()
+ if p.Namespace != nil {
+ namespace = string(*p.Namespace)
+ }
+ gwNN := types.NamespacedName{
+ Namespace: namespace,
+ Name: string(p.Name),
+ }
+
+ key := gwNN.String()
+ if _, ok := gatewayRouteMap[key]; !ok {
+ gatewayRouteMap[key] = make(sets.Set[string])
+ }
+ gatewayRouteMap[key].Insert(utils.NamespacedName(route).String())
+
+ // Do need a section name since the policy is targeting to a route
+ ancestorRefs = append(ancestorRefs, getAncestorRefForPolicy(gwNN, p.SectionName))
+ }
+ }
+
+ // Set conditions for resolve error, then skip current xroute
+ if resolveErr != nil {
+ status.SetResolveErrorForPolicyAncestors(&policy.Status,
+ ancestorRefs,
+ t.GatewayControllerName,
+ policy.Generation,
+ resolveErr,
+ )
+
+ continue
+ }
+
+ // Set conditions for translation error if it got any
+ if err := t.translateEnvoyExtensionPolicyForRoute(policy, route, xdsIR, resources); err != nil {
+ status.SetTranslationErrorForPolicyAncestors(&policy.Status,
+ ancestorRefs,
+ t.GatewayControllerName,
+ policy.Generation,
+ status.Error2ConditionMsg(err),
+ )
+ }
+
+ // Set Accepted condition if it is unset
+ status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName)
+ }
+ }
+
+ // Process the policies targeting Gateways
+ for _, policy := range envoyExtensionPolicies {
+ if policy.Spec.TargetRef.Kind == KindGateway {
+ policy := policy.DeepCopy()
+ res = append(res, policy)
+
+ // Negative statuses have already been assigned so its safe to skip
+ gateway, resolveErr := resolveEEPolicyGatewayTargetRef(policy, gatewayMap)
+ if gateway == nil {
+ continue
+ }
+
+ // Find its ancestor reference by resolved gateway, even with resolve error
+ gatewayNN := utils.NamespacedName(gateway)
+ ancestorRefs := []gwv1a2.ParentReference{
+ // Don't need a section name since the policy is targeting to a gateway
+ getAncestorRefForPolicy(gatewayNN, nil),
+ }
+
+ // Set conditions for resolve error, then skip current gateway
+ if resolveErr != nil {
+ status.SetResolveErrorForPolicyAncestors(&policy.Status,
+ ancestorRefs,
+ t.GatewayControllerName,
+ policy.Generation,
+ resolveErr,
+ )
+
+ continue
+ }
+
+ // Set conditions for translation error if it got any
+ if err := t.translateEnvoyExtensionPolicyForGateway(policy, gateway, xdsIR, resources); err != nil {
+ status.SetTranslationErrorForPolicyAncestors(&policy.Status,
+ ancestorRefs,
+ t.GatewayControllerName,
+ policy.Generation,
+ status.Error2ConditionMsg(err),
+ )
+ }
+
+ // Set Accepted condition if it is unset
+ status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName)
+
+ // Check if this policy is overridden by other policies targeting at
+ // route level
+ if r, ok := gatewayRouteMap[gatewayNN.String()]; ok {
+ // Maintain order here to ensure status/string does not change with the same data
+ routes := r.UnsortedList()
+ sort.Strings(routes)
+ message := fmt.Sprintf("This policy is being overridden by other envoyExtensionPolicies for these routes: %v", routes)
+
+ status.SetConditionForPolicyAncestors(&policy.Status,
+ ancestorRefs,
+ t.GatewayControllerName,
+ egv1a1.PolicyConditionOverridden,
+ metav1.ConditionTrue,
+ egv1a1.PolicyReasonOverridden,
+ message,
+ policy.Generation,
+ )
+ }
+ }
+ }
+
+ return res
+}
+
+func resolveEEPolicyGatewayTargetRef(policy *egv1a1.EnvoyExtensionPolicy, gateways map[types.NamespacedName]*policyGatewayTargetContext) (*GatewayContext, *status.PolicyResolveError) {
+ targetNs := policy.Spec.TargetRef.Namespace
+ // If empty, default to namespace of policy
+ if targetNs == nil {
+ targetNs = ptr.To(gwv1b1.Namespace(policy.Namespace))
+ }
+
+ // Check if the gateway exists
+ key := types.NamespacedName{
+ Name: string(policy.Spec.TargetRef.Name),
+ Namespace: string(*targetNs),
+ }
+ gateway, ok := gateways[key]
+
+ // Gateway not found
+ if !ok {
+ return nil, nil
+ }
+
+ // Ensure Policy and target are in the same namespace
+ if policy.Namespace != string(*targetNs) {
+ message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, EnvoyExtensionPolicy can only target a resource in the same namespace.",
+ policy.Namespace, *targetNs)
+
+ return gateway.GatewayContext, &status.PolicyResolveError{
+ Reason: gwv1a2.PolicyReasonInvalid,
+ Message: message,
+ }
+ }
+
+ // Check if another policy targeting the same Gateway exists
+ if gateway.attached {
+ message := "Unable to target Gateway, another EnvoyExtensionPolicy has already attached to it"
+
+ return gateway.GatewayContext, &status.PolicyResolveError{
+ Reason: gwv1a2.PolicyReasonConflicted,
+ Message: message,
+ }
+ }
+
+ // Set context and save
+ gateway.attached = true
+ gateways[key] = gateway
+
+ return gateway.GatewayContext, nil
+}
+
+func resolveEEPolicyRouteTargetRef(policy *egv1a1.EnvoyExtensionPolicy, routes map[policyTargetRouteKey]*policyRouteTargetContext) (RouteContext, *status.PolicyResolveError) {
+ targetNs := policy.Spec.TargetRef.Namespace
+ // If empty, default to namespace of policy
+ if targetNs == nil {
+ targetNs = ptr.To(gwv1b1.Namespace(policy.Namespace))
+ }
+
+ // Check if the route exists
+ key := policyTargetRouteKey{
+ Kind: string(policy.Spec.TargetRef.Kind),
+ Name: string(policy.Spec.TargetRef.Name),
+ Namespace: string(*targetNs),
+ }
+
+ route, ok := routes[key]
+ // Route not found
+ if !ok {
+ return nil, nil
+ }
+
+ // Ensure Policy and target are in the same namespace
+ if policy.Namespace != string(*targetNs) {
+ message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, EnvoyExtensionPolicy can only target a resource in the same namespace.",
+ policy.Namespace, *targetNs)
+
+ return route.RouteContext, &status.PolicyResolveError{
+ Reason: gwv1a2.PolicyReasonInvalid,
+ Message: message,
+ }
+ }
+
+ // Check if another policy targeting the same xRoute exists
+ if route.attached {
+ message := fmt.Sprintf("Unable to target %s, another EnvoyExtensionPolicy has already attached to it",
+ string(policy.Spec.TargetRef.Kind))
+
+ return route.RouteContext, &status.PolicyResolveError{
+ Reason: gwv1a2.PolicyReasonConflicted,
+ Message: message,
+ }
+ }
+
+ // Set context and save
+ route.attached = true
+ routes[key] = route
+
+ return route.RouteContext, nil
+}
+
+func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyExtensionPolicy, route RouteContext,
+ xdsIR XdsIRMap, resources *Resources) error {
+ // Apply IR to all relevant routes
+ prefix := irRoutePrefix(route)
+ for _, ir := range xdsIR {
+ for _, http := range ir.HTTP {
+ for _, r := range http.Routes {
+ // Apply if there is a match
+ if strings.HasPrefix(r.Name, prefix) {
+ if extProcs, err := t.buildExtProcs(policy, resources); err == nil {
+ r.ExtProcs = extProcs
+ } else {
+ return err
+ }
+ }
+ }
+ }
+ }
+
+ return nil
+}
+
+func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources) ([]ir.ExtProc, error) {
+ var extProcIRList []ir.ExtProc
+
+ if policy == nil {
+ return nil, nil
+ }
+
+ if len(policy.Spec.ExtProc) > 0 {
+ for idx, ep := range policy.Spec.ExtProc {
+ name := irConfigNameForEEP(policy, idx)
+ extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources)
+ if err != nil {
+ return nil, err
+ }
+ extProcIRList = append(extProcIRList, *extProcIR)
+ }
+ }
+ return extProcIRList, nil
+}
+
+func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.EnvoyExtensionPolicy,
+ gateway *GatewayContext, xdsIR XdsIRMap, resources *Resources) error {
+
+ irKey := t.getIRKey(gateway.Gateway)
+ // Should exist since we've validated this
+ ir := xdsIR[irKey]
+
+ policyTarget := irStringKey(
+ string(ptr.Deref(policy.Spec.TargetRef.Namespace, gwv1a2.Namespace(policy.Namespace))),
+ string(policy.Spec.TargetRef.Name),
+ )
+
+ extProcs, err := t.buildExtProcs(policy, resources)
+ if err != nil {
+ return err
+ }
+
+ for _, http := range ir.HTTP {
+ gatewayName := http.Name[0:strings.LastIndex(http.Name, "/")]
+ if t.MergeGateways && gatewayName != policyTarget {
+ continue
+ }
+
+ // A Policy targeting the most specific scope(xRoute) wins over a policy
+ // targeting a lesser specific scope(Gateway).
+ for _, r := range http.Routes {
+ // if already set - there's a route level policy, so skip
+ if r.ExtProcs == nil {
+ r.ExtProcs = extProcs
+ }
+ }
+ }
+
+ return nil
+}
+
+func (t *Translator) buildExtProc(
+ name string,
+ policyNamespacedName types.NamespacedName,
+ extProc egv1a1.ExtProc,
+ extProcIdx int,
+ resources *Resources) (*ir.ExtProc, error) {
+ var (
+ backendRef *gwapiv1.BackendObjectReference
+ ds *ir.DestinationSetting
+ authority string
+ err error
+ )
+
+ backendRef = &extProc.BackendRef.BackendObjectReference
+
+ if err = t.validateExtServiceBackendReference(
+ backendRef,
+ policyNamespacedName.Namespace,
+ resources); err != nil {
+ return nil, err
+ }
+
+ authority = fmt.Sprintf(
+ "%s.%s:%d",
+ backendRef.Name,
+ NamespaceDerefOr(backendRef.Namespace, policyNamespacedName.Namespace),
+ *backendRef.Port)
+
+ if ds, err = t.processExtServiceDestination(
+ backendRef,
+ policyNamespacedName,
+ egv1a1.KindEnvoyExtensionPolicy,
+ ir.GRPC,
+ resources); err != nil {
+ return nil, err
+ }
+
+ rd := ir.RouteDestination{
+ Name: irIndexedExtServiceDestinationName(policyNamespacedName, egv1a1.KindEnvoyExtensionPolicy,
+ string(backendRef.Name), extProcIdx),
+ Settings: []*ir.DestinationSetting{ds},
+ }
+
+ extProcIR := &ir.ExtProc{
+ Name: name,
+ Destination: rd,
+ Authority: authority,
+ }
+
+ return extProcIR, err
+}
+
+func irConfigNameForEEP(policy *egv1a1.EnvoyExtensionPolicy, idx int) string {
+ return fmt.Sprintf(
+ "%s/%s/%d",
+ strings.ToLower(egv1a1.KindEnvoyExtensionPolicy),
+ utils.NamespacedName(policy).String(),
+ idx)
+}
diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go
new file mode 100644
index 00000000000..a14e2b1258e
--- /dev/null
+++ b/internal/gatewayapi/ext_service.go
@@ -0,0 +1,104 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package gatewayapi
+
+import (
+ "errors"
+ "fmt"
+ "strings"
+
+ v1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/utils/ptr"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+ egv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+ "github.com/envoyproxy/gateway/internal/ir"
+)
+
+// TODO: zhaohuabing combine this function with the one in the route translator
+func (t *Translator) processExtServiceDestination(
+ backendRef *gwapiv1.BackendObjectReference,
+ policyNamespacedName types.NamespacedName,
+ policyKind string,
+ protocol ir.AppProtocol,
+ resources *Resources) (*ir.DestinationSetting, error) {
+ var (
+ endpoints []*ir.DestinationEndpoint
+ addrType *ir.DestinationAddressType
+ servicePort v1.ServicePort
+ backendTLS *ir.TLSUpstreamConfig
+ )
+
+ serviceNamespace := NamespaceDerefOr(backendRef.Namespace, policyNamespacedName.Namespace)
+ service := resources.GetService(serviceNamespace, string(backendRef.Name))
+ for _, port := range service.Spec.Ports {
+ if port.Port == int32(*backendRef.Port) {
+ servicePort = port
+ break
+ }
+ }
+
+ if servicePort.AppProtocol != nil &&
+ *servicePort.AppProtocol == "kubernetes.io/h2c" {
+ protocol = ir.HTTP2
+ }
+
+ // Route to endpoints by default
+ if !t.EndpointRoutingDisabled {
+ endpointSlices := resources.GetEndpointSlicesForBackend(
+ serviceNamespace, string(backendRef.Name), KindService)
+ endpoints, addrType = getIREndpointsFromEndpointSlices(
+ endpointSlices, servicePort.Name, servicePort.Protocol)
+ } else {
+ // Fall back to Service ClusterIP routing
+ ep := ir.NewDestEndpoint(
+ service.Spec.ClusterIP,
+ uint32(*backendRef.Port))
+ endpoints = append(endpoints, ep)
+ }
+
+ // TODO: support mixed endpointslice address type for the same backendRef
+ if !t.EndpointRoutingDisabled && addrType != nil && *addrType == ir.MIXED {
+ return nil, errors.New(
+ "mixed endpointslice address type for the same backendRef is not supported")
+ }
+
+ backendTLS = t.processBackendTLSPolicy(
+ *backendRef,
+ serviceNamespace,
+ // Gateway is not the appropriate parent reference here because the owner
+ // of the BackendRef is the policy, and there is no hierarchy
+ // relationship between the policy and a gateway.
+ // The owner policy of the BackendRef is used as the parent reference here.
+ egv1a2.ParentReference{
+ Group: ptr.To(gwapiv1.Group(egv1a1.GroupName)),
+ Kind: ptr.To(gwapiv1.Kind(policyKind)),
+ Namespace: ptr.To(gwapiv1.Namespace(policyNamespacedName.Namespace)),
+ Name: gwapiv1.ObjectName(policyNamespacedName.Name),
+ },
+ resources)
+
+ return &ir.DestinationSetting{
+ Weight: ptr.To(uint32(1)),
+ Protocol: protocol,
+ Endpoints: endpoints,
+ AddressType: addrType,
+ TLS: backendTLS,
+ }, nil
+}
+
+// TODO: also refer to extension type, as WASM may also introduce destinations
+func irIndexedExtServiceDestinationName(policyNamespacedName types.NamespacedName, policyKind, service string, idx int) string {
+ return strings.ToLower(fmt.Sprintf(
+ "%s/%s/%s/%d/%s",
+ policyKind,
+ policyNamespacedName.Namespace,
+ policyNamespacedName.Name,
+ idx,
+ service))
+}
diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go
index 4702d2a4e26..de94aaf27e9 100644
--- a/internal/gatewayapi/listener.go
+++ b/internal/gatewayapi/listener.go
@@ -24,6 +24,8 @@ type ListenersTranslator interface {
}
func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources) {
+ // Infra IR proxy ports must be unique.
+ foundPorts := make(map[string][]*protocolPort)
t.validateConflictedLayer7Listeners(gateways)
t.validateConflictedLayer4Listeners(gateways, gwapiv1.TCPProtocolType, gwapiv1.TLSProtocolType)
t.validateConflictedLayer4Listeners(gateways, gwapiv1.UDPProtocolType)
@@ -35,8 +37,6 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
// and compute status for each, and add valid ones
// to the Xds IR.
for _, gateway := range gateways {
- // Infra IR proxy ports must be unique.
- var foundPorts []*protocolPort
irKey := t.getIRKey(gateway.Gateway)
if resources.EnvoyProxy != nil {
@@ -93,7 +93,6 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
if !isReady {
continue
}
-
// Add the listener to the Xds IR
servicePort := &protocolPort{protocol: listener.Protocol, port: int32(listener.Port)}
containerPort := servicePortToContainerPort(servicePort.port)
@@ -122,42 +121,46 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
// Add the listener to the Infra IR. Infra IR ports must have a unique port number per layer-4 protocol
// (TCP or UDP).
- if !containsPort(foundPorts, servicePort) {
- foundPorts = append(foundPorts, servicePort)
- var proto ir.ProtocolType
- switch listener.Protocol {
- case gwapiv1.HTTPProtocolType:
- proto = ir.HTTPProtocolType
- case gwapiv1.HTTPSProtocolType:
- proto = ir.HTTPSProtocolType
- case gwapiv1.TLSProtocolType:
- proto = ir.TLSProtocolType
- case gwapiv1.TCPProtocolType:
- proto = ir.TCPProtocolType
- case gwapiv1.UDPProtocolType:
- proto = ir.UDPProtocolType
- }
+ if !containsPort(foundPorts[irKey], servicePort) {
+ t.processInfraIRListener(listener, infraIR, irKey, servicePort)
+ foundPorts[irKey] = append(foundPorts[irKey], servicePort)
+ }
+ }
+ }
+}
- infraPortName := string(listener.Name)
- if t.MergeGateways {
- infraPortName = irHTTPListenerName(listener)
- }
- infraPort := ir.ListenerPort{
- Name: infraPortName,
- Protocol: proto,
- ServicePort: servicePort.port,
- ContainerPort: containerPort,
- }
+func (t *Translator) processInfraIRListener(listener *ListenerContext, infraIR InfraIRMap, irKey string, servicePort *protocolPort) {
+ var proto ir.ProtocolType
+ switch listener.Protocol {
+ case gwapiv1.HTTPProtocolType:
+ proto = ir.HTTPProtocolType
+ case gwapiv1.HTTPSProtocolType:
+ proto = ir.HTTPSProtocolType
+ case gwapiv1.TLSProtocolType:
+ proto = ir.TLSProtocolType
+ case gwapiv1.TCPProtocolType:
+ proto = ir.TCPProtocolType
+ case gwapiv1.UDPProtocolType:
+ proto = ir.UDPProtocolType
+ }
- proxyListener := &ir.ProxyListener{
- Name: irHTTPListenerName(listener),
- Ports: []ir.ListenerPort{infraPort},
- }
+ infraPortName := string(listener.Name)
+ if t.MergeGateways {
+ infraPortName = irHTTPListenerName(listener)
+ }
+ infraPort := ir.ListenerPort{
+ Name: infraPortName,
+ Protocol: proto,
+ ServicePort: servicePort.port,
+ ContainerPort: servicePortToContainerPort(servicePort.port),
+ }
- infraIR[irKey].Proxy.Listeners = append(infraIR[irKey].Proxy.Listeners, proxyListener)
- }
- }
+ proxyListener := &ir.ProxyListener{
+ Name: irHTTPListenerName(listener),
+ Ports: []ir.ListenerPort{infraPort},
}
+
+ infraIR[irKey].Proxy.Listeners = append(infraIR[irKey].Proxy.Listeners, proxyListener)
}
func processAccessLog(envoyproxy *egv1a1.EnvoyProxy) *ir.AccessLog {
diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource.go
index 6a8f37e33b1..f930801c2bf 100644
--- a/internal/gatewayapi/resource.go
+++ b/internal/gatewayapi/resource.go
@@ -52,6 +52,7 @@ type Resources struct {
BackendTrafficPolicies []*egv1a1.BackendTrafficPolicy `json:"backendTrafficPolicies,omitempty" yaml:"backendTrafficPolicies,omitempty"`
SecurityPolicies []*egv1a1.SecurityPolicy `json:"securityPolicies,omitempty" yaml:"securityPolicies,omitempty"`
BackendTLSPolicies []*gwapiv1a2.BackendTLSPolicy `json:"backendTLSPolicies,omitempty" yaml:"backendTLSPolicies,omitempty"`
+ EnvoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy `json:"envoyExtensionPolicies,omitempty" yaml:"envoyExtensionPolicies,omitempty"`
}
func NewResources() *Resources {
@@ -72,6 +73,7 @@ func NewResources() *Resources {
BackendTrafficPolicies: []*egv1a1.BackendTrafficPolicy{},
SecurityPolicies: []*egv1a1.SecurityPolicy{},
BackendTLSPolicies: []*gwapiv1a2.BackendTLSPolicy{},
+ EnvoyExtensionPolicies: []*egv1a1.EnvoyExtensionPolicy{},
}
}
diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go
index e29c8f0502c..1b0ac613bdd 100644
--- a/internal/gatewayapi/route.go
+++ b/internal/gatewayapi/route.go
@@ -263,12 +263,6 @@ func processTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) {
func setRequestTimeout(irTimeout *ir.Timeout, d metav1.Duration) {
switch {
- case irTimeout == nil:
- irTimeout = &ir.Timeout{
- HTTP: &ir.HTTPTimeout{
- RequestTimeout: ptr.To(d),
- },
- }
case irTimeout.HTTP == nil:
irTimeout.HTTP = &ir.HTTPTimeout{
RequestTimeout: ptr.To(d),
diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go
index abc1016aa83..4ef2d3d2702 100644
--- a/internal/gatewayapi/runner/runner.go
+++ b/internal/gatewayapi/runner/runner.go
@@ -196,6 +196,14 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
}
delete(statusesToDelete.SecurityPolicyStatusKeys, key)
}
+ for _, envoyExtensionPolicy := range result.EnvoyExtensionPolicies {
+ envoyExtensionPolicy := envoyExtensionPolicy
+ key := utils.NamespacedName(envoyExtensionPolicy)
+ if !(reflect.ValueOf(envoyExtensionPolicy.Status).IsZero()) {
+ r.ProviderResources.EnvoyExtensionPolicyStatuses.Store(key, &envoyExtensionPolicy.Status)
+ }
+ delete(statusesToDelete.EnvoyExtensionPolicyStatusKeys, key)
+ }
}
// Delete IR keys
@@ -233,6 +241,7 @@ type StatusesToDelete struct {
ClientTrafficPolicyStatusKeys map[types.NamespacedName]bool
BackendTrafficPolicyStatusKeys map[types.NamespacedName]bool
SecurityPolicyStatusKeys map[types.NamespacedName]bool
+ EnvoyExtensionPolicyStatusKeys map[types.NamespacedName]bool
}
func (r *Runner) getAllStatuses() *StatusesToDelete {
@@ -249,6 +258,7 @@ func (r *Runner) getAllStatuses() *StatusesToDelete {
BackendTrafficPolicyStatusKeys: make(map[types.NamespacedName]bool),
SecurityPolicyStatusKeys: make(map[types.NamespacedName]bool),
BackendTLSPolicyStatusKeys: make(map[types.NamespacedName]bool),
+ EnvoyExtensionPolicyStatusKeys: make(map[types.NamespacedName]bool),
}
// Get current status keys
@@ -283,7 +293,9 @@ func (r *Runner) getAllStatuses() *StatusesToDelete {
for key := range r.ProviderResources.SecurityPolicyStatuses.LoadAll() {
ds.SecurityPolicyStatusKeys[key] = true
}
-
+ for key := range r.ProviderResources.EnvoyExtensionPolicyStatuses.LoadAll() {
+ ds.EnvoyExtensionPolicyStatusKeys[key] = true
+ }
return ds
}
@@ -329,6 +341,10 @@ func (r *Runner) deleteStatusKeys(ds *StatusesToDelete) {
r.ProviderResources.BackendTLSPolicyStatuses.Delete(key)
delete(ds.BackendTLSPolicyStatusKeys, key)
}
+ for key := range ds.EnvoyExtensionPolicyStatusKeys {
+ r.ProviderResources.EnvoyExtensionPolicyStatuses.Delete(key)
+ delete(ds.EnvoyExtensionPolicyStatusKeys, key)
+ }
}
// deleteAllStatusKeys deletes all status keys stored by the subscriber.
@@ -366,6 +382,9 @@ func (r *Runner) deleteAllStatusKeys() {
for key := range r.ProviderResources.SecurityPolicyStatuses.LoadAll() {
r.ProviderResources.SecurityPolicyStatuses.Delete(key)
}
+ for key := range r.ProviderResources.EnvoyExtensionPolicyStatuses.LoadAll() {
+ r.ProviderResources.EnvoyExtensionPolicyStatuses.Delete(key)
+ }
}
// getIRKeysToDelete returns the list of IR keys to delete
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index 67bf2314bef..b0c0976534d 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -134,9 +134,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
continue
}
- err := t.translateSecurityPolicyForRoute(policy, targetedRoute, resources, xdsIR)
-
- if err != nil {
+ if err := t.translateSecurityPolicyForRoute(policy, targetedRoute, resources, xdsIR); err != nil {
status.SetTranslationErrorForPolicyAncestors(&policy.Status,
parentGateways,
t.GatewayControllerName,
@@ -188,15 +186,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
continue
}
- irKey := t.getIRKey(targetedGateway.Gateway)
- // Should exist since we've validated this
- xds := xdsIR[irKey]
- err := validatePortOverlapForSecurityPolicyGateway(xds)
- if err == nil {
- err = t.translateSecurityPolicyForGateway(policy, targetedGateway, resources, xdsIR)
- }
-
- if err != nil {
+ if err := t.translateSecurityPolicyForGateway(policy, targetedGateway, resources, xdsIR); err != nil {
status.SetTranslationErrorForPolicyAncestors(&policy.Status,
parentGateways,
t.GatewayControllerName,
@@ -508,20 +498,6 @@ func (t *Translator) translateSecurityPolicyForGateway(
return errs
}
-func validatePortOverlapForSecurityPolicyGateway(xds *ir.Xds) error {
- affectedListeners := []string{}
- for _, http := range xds.HTTP {
- if sameListeners := listenersWithSameHTTPPort(xds, http); len(sameListeners) != 0 {
- affectedListeners = append(affectedListeners, sameListeners...)
- }
- }
-
- if len(affectedListeners) > 0 {
- return fmt.Errorf("affects multiple listeners: %s", strings.Join(affectedListeners, ", "))
- }
- return nil
-}
-
func (t *Translator) buildCORS(cors *egv1a1.CORS) *ir.CORS {
var allowOrigins []*ir.StringMatch
@@ -829,9 +805,11 @@ func (t *Translator) buildExtAuth(
NamespaceDerefOr(backendRef.Namespace, policy.Namespace),
*backendRef.Port)
+ pnn := utils.NamespacedName(policy)
if ds, err = t.processExtServiceDestination(
backendRef,
- policy,
+ pnn,
+ KindSecurityPolicy,
protocol,
resources); err != nil {
return nil, err
@@ -863,77 +841,6 @@ func (t *Translator) buildExtAuth(
return extAuth, nil
}
-// TODO: zhaohuabing combine this function with the one in the route translator
-func (t *Translator) processExtServiceDestination(
- backendRef *gwapiv1.BackendObjectReference,
- policy *egv1a1.SecurityPolicy,
- protocol ir.AppProtocol,
- resources *Resources) (*ir.DestinationSetting, error) {
- var (
- endpoints []*ir.DestinationEndpoint
- addrType *ir.DestinationAddressType
- servicePort v1.ServicePort
- backendTLS *ir.TLSUpstreamConfig
- )
-
- serviceNamespace := NamespaceDerefOr(backendRef.Namespace, policy.Namespace)
- service := resources.GetService(serviceNamespace, string(backendRef.Name))
- for _, port := range service.Spec.Ports {
- if port.Port == int32(*backendRef.Port) {
- servicePort = port
- break
- }
- }
-
- if servicePort.AppProtocol != nil &&
- *servicePort.AppProtocol == "kubernetes.io/h2c" {
- protocol = ir.HTTP2
- }
-
- // Route to endpoints by default
- if !t.EndpointRoutingDisabled {
- endpointSlices := resources.GetEndpointSlicesForBackend(
- serviceNamespace, string(backendRef.Name), KindService)
- endpoints, addrType = getIREndpointsFromEndpointSlices(
- endpointSlices, servicePort.Name, servicePort.Protocol)
- } else {
- // Fall back to Service ClusterIP routing
- ep := ir.NewDestEndpoint(
- service.Spec.ClusterIP,
- uint32(*backendRef.Port))
- endpoints = append(endpoints, ep)
- }
-
- // TODO: support mixed endpointslice address type for the same backendRef
- if !t.EndpointRoutingDisabled && addrType != nil && *addrType == ir.MIXED {
- return nil, errors.New(
- "mixed endpointslice address type for the same backendRef is not supported")
- }
-
- backendTLS = t.processBackendTLSPolicy(
- *backendRef,
- serviceNamespace,
- // Gateway is not the appropriate parent reference here because the owner
- // of the BackendRef is the security policy, and there is no hierarchy
- // relationship between the security policy and a gateway.
- // The owner security policy of the BackendRef is used as the parent reference here.
- gwv1a2.ParentReference{
- Group: ptr.To(gwapiv1.Group(egv1a1.GroupName)),
- Kind: ptr.To(gwapiv1.Kind(egv1a1.KindSecurityPolicy)),
- Namespace: ptr.To(gwapiv1.Namespace(policy.Namespace)),
- Name: gwapiv1.ObjectName(policy.Name),
- },
- resources)
-
- return &ir.DestinationSetting{
- Weight: ptr.To(uint32(1)),
- Protocol: protocol,
- Endpoints: endpoints,
- AddressType: addrType,
- TLS: backendTLS,
- }, nil
-}
-
func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, backendRef *gwapiv1.BackendObjectReference) string {
nn := types.NamespacedName{
Name: string(backendRef.Name),
diff --git a/internal/gatewayapi/sort.go b/internal/gatewayapi/sort.go
index 00a5fc6389d..75d9ebc503a 100644
--- a/internal/gatewayapi/sort.go
+++ b/internal/gatewayapi/sort.go
@@ -18,33 +18,33 @@ func (x XdsIRRoutes) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
func (x XdsIRRoutes) Less(i, j int) bool {
// 1. Sort based on path match type
- // Exact > PathPrefix > RegularExpression
+ // Exact > RegularExpression > PathPrefix
if x[i].PathMatch != nil && x[i].PathMatch.Exact != nil {
if x[j].PathMatch != nil {
- if x[j].PathMatch.Prefix != nil {
+ if x[j].PathMatch.SafeRegex != nil {
return false
}
- if x[j].PathMatch.SafeRegex != nil {
+ if x[j].PathMatch.Prefix != nil {
return false
}
}
}
- if x[i].PathMatch != nil && x[i].PathMatch.Prefix != nil {
+ if x[i].PathMatch != nil && x[i].PathMatch.SafeRegex != nil {
if x[j].PathMatch != nil {
if x[j].PathMatch.Exact != nil {
return true
}
- if x[j].PathMatch.SafeRegex != nil {
+ if x[j].PathMatch.Prefix != nil {
return false
}
}
}
- if x[i].PathMatch != nil && x[i].PathMatch.SafeRegex != nil {
+ if x[i].PathMatch != nil && x[i].PathMatch.Prefix != nil {
if x[j].PathMatch != nil {
if x[j].PathMatch.Exact != nil {
return true
}
- if x[j].PathMatch.Prefix != nil {
+ if x[j].PathMatch.SafeRegex != nil {
return true
}
}
@@ -96,12 +96,12 @@ func pathMatchCount(pathMatch *ir.StringMatch) int {
if pathMatch.Exact != nil {
return len(*pathMatch.Exact)
}
- if pathMatch.Prefix != nil {
- return len(*pathMatch.Prefix)
- }
if pathMatch.SafeRegex != nil {
return len(*pathMatch.SafeRegex)
}
+ if pathMatch.Prefix != nil {
+ return len(*pathMatch.Prefix)
+ }
}
return 0
}
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
index 7194512bbb8..34b5a13021e 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
@@ -496,6 +496,7 @@ xdsIR:
expectedStatuses:
- 200
- 300
+ host: '*'
method: GET
path: /healthz
interval: 3s
@@ -624,6 +625,7 @@ xdsIR:
expectedStatuses:
- 200
- 201
+ host: gateway.envoyproxy.io
method: GET
path: /healthz
interval: 5s
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml
index b7eae0602f4..62a0ec8fc75 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml
@@ -258,6 +258,7 @@ xdsIR:
expectedStatuses:
- 200
- 300
+ host: ""
method: GET
path: /healthz
interval: 3s
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml
index 1524afa8734..774e7e0525b 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml
@@ -333,6 +333,7 @@ xdsIR:
expectedStatuses:
- 200
- 300
+ host: ""
method: GET
path: /healthz
interval: 3s
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-error.out.yaml
new file mode 100755
index 00000000000..5b052418212
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-error.out.yaml
@@ -0,0 +1,182 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1-section-http-1
+ namespace: envoy-gateway
+ spec:
+ connection:
+ bufferLimit: 100G
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ conditions:
+ - lastTransitionTime: null
+ message: BufferLimit value 100000000000 out of range
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1
+ namespace: envoy-gateway
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: There are existing ClientTrafficPolicies that are overriding these
+ sections [http-1]
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-1
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-2
+ port: 8080
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-1
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http-1
+ ports:
+ - containerPort: 10080
+ name: http-1
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway-1/http-2
+ ports:
+ - containerPort: 8080
+ name: http-2
+ protocol: HTTP
+ servicePort: 8080
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-1
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ - address: 0.0.0.0
+ connection: {}
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8080
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.in.yaml
new file mode 100644
index 00000000000..ddd40c3344c
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.in.yaml
@@ -0,0 +1,48 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1-section-http-1
+ spec:
+ connection:
+ bufferLimit: 500m
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ sectionName: http-1
+ namespace: envoy-gateway
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http-1
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ protocol: HTTP
+ port: 8080
+ allowedRoutes:
+ namespaces:
+ from: Same
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml
new file mode 100755
index 00000000000..85ec2d02e9d
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml
@@ -0,0 +1,182 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1-section-http-1
+ namespace: envoy-gateway
+ spec:
+ connection:
+ bufferLimit: 500m
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ conditions:
+ - lastTransitionTime: null
+ message: Invalid BufferLimit value 500m
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1
+ namespace: envoy-gateway
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: There are existing ClientTrafficPolicies that are overriding these
+ sections [http-1]
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-1
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-2
+ port: 8080
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-1
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http-1
+ ports:
+ - containerPort: 10080
+ name: http-1
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway-1/http-2
+ ports:
+ - containerPort: 8080
+ name: http-2
+ protocol: HTTP
+ servicePort: 8080
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-1
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ - address: 0.0.0.0
+ connection: {}
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8080
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.in.yaml
new file mode 100644
index 00000000000..f3e7f0306e9
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.in.yaml
@@ -0,0 +1,48 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1-section-http-1
+ spec:
+ connection:
+ bufferLimit: 100G
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ sectionName: http-1
+ namespace: envoy-gateway
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http-1
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ protocol: HTTP
+ port: 8080
+ allowedRoutes:
+ namespaces:
+ from: Same
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml
new file mode 100755
index 00000000000..2c9cb161ebf
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml
@@ -0,0 +1,182 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1-section-http-1
+ namespace: envoy-gateway
+ spec:
+ connection:
+ bufferLimit: 100G
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ conditions:
+ - lastTransitionTime: null
+ message: BufferLimit value 100G is out of range
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1
+ namespace: envoy-gateway
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: There are existing ClientTrafficPolicies that are overriding these
+ sections [http-1]
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-1
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-2
+ port: 8080
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-1
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http-1
+ ports:
+ - containerPort: 10080
+ name: http-1
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway-1/http-2
+ ports:
+ - containerPort: 8080
+ name: http-2
+ protocol: HTTP
+ servicePort: 8080
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-1
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ - address: 0.0.0.0
+ connection: {}
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8080
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.in.yaml
new file mode 100644
index 00000000000..58258e81ef4
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.in.yaml
@@ -0,0 +1,48 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1-section-http-1
+ spec:
+ connection:
+ bufferLimit: 50M
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ sectionName: http-1
+ namespace: envoy-gateway
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http-1
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ protocol: HTTP
+ port: 8080
+ allowedRoutes:
+ namespaces:
+ from: Same
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml
new file mode 100755
index 00000000000..8788cfd2e6c
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml
@@ -0,0 +1,184 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1-section-http-1
+ namespace: envoy-gateway
+ spec:
+ connection:
+ bufferLimit: 50M
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http-1
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1
+ namespace: envoy-gateway
+ spec:
+ connection: {}
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: There are existing ClientTrafficPolicies that are overriding these
+ sections [http-1]
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-1
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-2
+ port: 8080
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-1
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http-1
+ ports:
+ - containerPort: 10080
+ name: http-1
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway-1/http-2
+ ports:
+ - containerPort: 8080
+ name: http-2
+ protocol: HTTP
+ servicePort: 8080
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ connection:
+ bufferLimit: 50000000
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-1
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ - address: 0.0.0.0
+ connection: {}
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8080
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml
index 82a60c2c033..136450f2abd 100644
--- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml
@@ -7,6 +7,7 @@ clientTrafficPolicies:
spec:
headers:
enableEnvoyHeaders: true
+ withUnderscoresAction: Allow
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml
index a3bf3ad5ce2..005487ada5b 100644
--- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml
@@ -8,6 +8,7 @@ clientTrafficPolicies:
spec:
headers:
enableEnvoyHeaders: true
+ withUnderscoresAction: Allow
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
@@ -129,6 +130,7 @@ xdsIR:
- address: 0.0.0.0
headers:
enableEnvoyHeaders: true
+ withUnderscoresAction: Allow
hostnames:
- '*'
isHTTP2: false
@@ -140,6 +142,7 @@ xdsIR:
- address: 0.0.0.0
headers:
enableEnvoyHeaders: true
+ withUnderscoresAction: Allow
hostnames:
- '*'
isHTTP2: false
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.in.yaml
new file mode 100644
index 00000000000..dfa5f302103
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.in.yaml
@@ -0,0 +1,31 @@
+clientTrafficPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway
+ namespace: envoy-gateway
+ timeout:
+ http:
+ requestReceivedTimeout: "10sec"
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml
new file mode 100755
index 00000000000..21cb15d7f46
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml
@@ -0,0 +1,102 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway
+ namespace: envoy-gateway
+ timeout:
+ http:
+ requestReceivedTimeout: 10sec
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: 'Time: unknown unit "sec" in duration "10sec"'
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway
+xdsIR:
+ envoy-gateway/gateway:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.in.yaml
new file mode 100644
index 00000000000..bbf4446fa36
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.in.yaml
@@ -0,0 +1,38 @@
+clientTrafficPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway
+ namespace: envoy-gateway
+ sectionName: http-1
+ timeout:
+ http:
+ idleTimeout: "10s"
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http-1
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ protocol: HTTP
+ port: 8080
+ allowedRoutes:
+ namespaces:
+ from: Same
+
diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml
new file mode 100755
index 00000000000..182fec065b0
--- /dev/null
+++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml
@@ -0,0 +1,152 @@
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway
+ namespace: envoy-gateway
+ sectionName: http-1
+ timeout:
+ http:
+ idleTimeout: 10s
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway
+ namespace: envoy-gateway
+ sectionName: http-1
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-1
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-2
+ port: 8080
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-1
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway/http-1
+ ports:
+ - containerPort: 10080
+ name: http-1
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway/http-2
+ ports:
+ - containerPort: 8080
+ name: http-2
+ protocol: HTTP
+ servicePort: 8080
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway
+xdsIR:
+ envoy-gateway/gateway:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway/http-1
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ timeout:
+ http:
+ idleTimeout: 10s
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8080
diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml
index 7e0d52a41d1..d8b882d368a 100644
--- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml
+++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml
@@ -23,7 +23,8 @@ clientTrafficPolicies:
namespace: default
conditions:
- lastTransitionTime: null
- message: 'Affects additional listeners: default/gateway-1/http'
+ message: ClientTrafficPolicy is being applied to multiple http (non https)
+ listeners (default/gateway-1/http) on the same port, which is not allowed
reason: Invalid
status: "False"
type: Accepted
@@ -217,13 +218,6 @@ infraIR:
name: default/gateway-1/http
protocol: HTTP
servicePort: 80
- - address: null
- name: default/mfqjpuycbgjrtdww/http
- ports:
- - containerPort: 10080
- name: default/mfqjpuycbgjrtdww/http
- protocol: HTTP
- servicePort: 80
metadata:
labels:
gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
@@ -261,9 +255,9 @@ securityPolicies:
namespace: default
conditions:
- lastTransitionTime: null
- message: 'Affects multiple listeners: default/mfqjpuycbgjrtdww/http, default/gateway-1/http'
- reason: Invalid
- status: "False"
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controller
xdsIR:
@@ -314,6 +308,20 @@ xdsIR:
- backendWeights:
invalid: 0
valid: 0
+ cors:
+ allowCredentials: true
+ allowMethods:
+ - PUT
+ - GET
+ - POST
+ - DELETE
+ - PATCH
+ - OPTIONS
+ allowOrigins:
+ - distinct: false
+ name: ""
+ safeRegex: http://.*\.foo\.com
+ maxAge: 10m0s
destination:
name: httproute/default/mfqjpuycbgjrtdww/rule/0
settings:
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.in.yaml
new file mode 100644
index 00000000000..0f6d26cf62c
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.in.yaml
@@ -0,0 +1,31 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ extProc:
+ - backendRef:
+ name: grpc-backend-4
+ port: 4000
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml
new file mode 100755
index 00000000000..983b95a6114
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml
@@ -0,0 +1,104 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway-1
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend-4
+ port: 4000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Namespace:default TargetRef.Namespace:envoy-gateway, EnvoyExtensionPolicy
+ can only target a resource in the same namespace.
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.in.yaml
new file mode 100644
index 00000000000..ce4ecde3766
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.in.yaml
@@ -0,0 +1,106 @@
+services:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: envoy-gateway
+ name: grpc-backend
+ spec:
+ ports:
+ - port: 9000
+ name: grpc
+ protocol: TCP
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: default
+ name: grpc-backend-2
+ spec:
+ ports:
+ - port: 8000
+ name: grpc
+ protocol: TCP
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - gateway.envoyproxy.io
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/foo"
+ backendRefs:
+ - name: service-1
+ port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-2
+ spec:
+ hostnames:
+ - gateway.envoyproxy.io
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/bar"
+ backendRefs:
+ - name: service-1
+ port: 8080
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: policy-for-gateway-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ port: 9000
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-route-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ extProc:
+ - backendRef:
+ name: grpc-backend-2
+ port: 8000
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml
new file mode 100755
index 00000000000..1adc83f74aa
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml
@@ -0,0 +1,272 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-route-1
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend-2
+ port: 8000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway-1
+ namespace: envoy-gateway
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ port: 9000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other envoyExtensionPolicies
+ for these routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 2
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - gateway.envoyproxy.io
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-2
+ namespace: default
+ spec:
+ hostnames:
+ - gateway.envoyproxy.io
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /bar
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ extProc:
+ - authority: grpc-backend-2.default:8000
+ destination:
+ name: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2
+ settings:
+ - protocol: GRPC
+ weight: 1
+ name: envoyextensionpolicy/default/policy-for-route-1/0
+ hostname: gateway.envoyproxy.io
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ extProc:
+ - authority: grpc-backend.envoy-gateway:9000
+ destination:
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend
+ settings:
+ - protocol: GRPC
+ weight: 1
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0
+ hostname: gateway.envoyproxy.io
+ isHTTP2: false
+ name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /bar
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.in.yaml
new file mode 100644
index 00000000000..3e2c4c63e1a
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.in.yaml
@@ -0,0 +1,207 @@
+EnvoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-gateway-1-as-well
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: not-same-namespace-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: not-same-namespace-gateway
+ namespace: another-namespace
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-httproute-in-gateway-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: also-target-httproute-in-gateway-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-grpcroute-in-gateway-2
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ name: grpcroute-1
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: target-unknown-httproute
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: unknown-httproute
+ namespace: envoy-gateway
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: not-same-namespace-httproute
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: not-same-namespace-httproute
+ namespace: another-namespace
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: HTTPRoute
+ metadata:
+ namespace: envoy-gateway
+ name: httproute-1
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ rules:
+ - matches:
+ - path:
+ value: "/"
+ backendRefs:
+ - name: service-1
+ port: 8080
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: HTTPRoute
+ metadata:
+ namespace: another-namespace
+ name: not-same-namespace-httproute
+ spec:
+ parentRefs:
+ - namespace: another-namespace
+ name: not-same-namespace-gateway
+ rules:
+ - matches:
+ - path:
+ value: "/"
+ backendRefs:
+ - name: service-1
+ port: 8080
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: GRPCRoute
+ metadata:
+ namespace: envoy-gateway
+ name: grpcroute-1
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-2
+ rules:
+ - matches:
+ - headers:
+ - type: Exact
+ name: magic
+ value: foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-2
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: https
+ protocol: HTTPS
+ port: 443
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: tcp
+ protocol: TCP
+ port: 53
+ allowedRoutes:
+ namespaces:
+ from: Same
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ namespace: another-namespace
+ name: not-same-namespace-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: Same
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml
new file mode 100755
index 00000000000..9d6ba198049
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml
@@ -0,0 +1,621 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-httproute-in-gateway-1
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: also-target-httproute-in-gateway-1
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Unable to target HTTPRoute, another EnvoyExtensionPolicy has already
+ attached to it
+ reason: Conflicted
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-grpcroute-in-gateway-2
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ name: grpcroute-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-2
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-httproute
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: unknown-httproute
+ namespace: envoy-gateway
+ status:
+ ancestors: null
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: not-same-namespace-httproute
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: not-same-namespace-httproute
+ namespace: another-namespace
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: not-same-namespace-gateway
+ namespace: another-namespace
+ conditions:
+ - lastTransitionTime: null
+ message: Namespace:envoy-gateway TargetRef.Namespace:another-namespace, EnvoyExtensionPolicy
+ can only target a resource in the same namespace.
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other envoyExtensionPolicies
+ for these routes: [envoy-gateway/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-1-as-well
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Unable to target Gateway, another EnvoyExtensionPolicy has already
+ attached to it
+ reason: Conflicted
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-unknown-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: unknown-gateway
+ namespace: envoy-gateway
+ status:
+ ancestors: null
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: not-same-namespace-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: not-same-namespace-gateway
+ namespace: another-namespace
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: not-same-namespace-gateway
+ namespace: another-namespace
+ conditions:
+ - lastTransitionTime: null
+ message: Namespace:envoy-gateway TargetRef.Namespace:another-namespace, EnvoyExtensionPolicy
+ can only target a resource in the same namespace.
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-2
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: https
+ port: 443
+ protocol: HTTPS
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: tcp
+ port: 53
+ protocol: TCP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Listener must have TLS set when protocol is HTTPS.
+ reason: Invalid
+ status: "False"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: https
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: tcp
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: not-same-namespace-gateway
+ namespace: another-namespace
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: GRPCRoute
+ metadata:
+ creationTimestamp: null
+ name: grpcroute-1
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-2
+ namespace: envoy-gateway
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - headers:
+ - name: magic
+ type: Exact
+ value: foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Service envoy-gateway/service-1 not found
+ reason: BackendNotFound
+ status: "False"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-2
+ namespace: envoy-gateway
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: envoy-gateway
+ spec:
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Service envoy-gateway/service-1 not found
+ reason: BackendNotFound
+ status: "False"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: not-same-namespace-httproute
+ namespace: another-namespace
+ spec:
+ parentRefs:
+ - name: not-same-namespace-gateway
+ namespace: another-namespace
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: No listeners included by this parent ref allowed this attachment.
+ reason: NotAllowedByListeners
+ status: "False"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Service another-namespace/service-1 not found
+ reason: BackendNotFound
+ status: "False"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: not-same-namespace-gateway
+ namespace: another-namespace
+infraIR:
+ another-namespace/not-same-namespace-gateway:
+ proxy:
+ listeners:
+ - address: null
+ name: another-namespace/not-same-namespace-gateway/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: not-same-namespace-gateway
+ gateway.envoyproxy.io/owning-gateway-namespace: another-namespace
+ name: another-namespace/not-same-namespace-gateway
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+ envoy-gateway/gateway-2:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-2/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway-2/tcp
+ ports:
+ - containerPort: 10053
+ name: tcp
+ protocol: TCP
+ servicePort: 53
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-2
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-2
+xdsIR:
+ another-namespace/not-same-namespace-gateway:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: another-namespace/not-same-namespace-gateway/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 1
+ valid: 0
+ directResponse:
+ statusCode: 500
+ hostname: '*'
+ isHTTP2: false
+ name: httproute/envoy-gateway/httproute-1/rule/0/match/0/*
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
+ envoy-gateway/gateway-2:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: true
+ name: envoy-gateway/gateway-2/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 1
+ valid: 0
+ directResponse:
+ statusCode: 500
+ headerMatches:
+ - distinct: false
+ exact: foo
+ name: magic
+ hostname: '*'
+ isHTTP2: true
+ name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/*
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.in.yaml
new file mode 100644
index 00000000000..78989127328
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.in.yaml
@@ -0,0 +1,60 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+services:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: default
+ name: grpc-backend
+ spec:
+ ports:
+ - port: 9000
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ port: 4000
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml
new file mode 100755
index 00000000000..394ccff73d5
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml
@@ -0,0 +1,162 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ port: 4000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: TCP Port 4000 not found on service default/grpc-backend
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.in.yaml
new file mode 100644
index 00000000000..b2420abfa9d
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.in.yaml
@@ -0,0 +1,59 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+services:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: default
+ name: grpc-backend
+ spec:
+ ports:
+ - port: 9000
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extProc:
+ - backendRef:
+ name: grpc-backend
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml
new file mode 100755
index 00000000000..ea8098edd07
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml
@@ -0,0 +1,162 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: A valid port number corresponding to a port on the Service must be
+ specified
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.in.yaml
new file mode 100644
index 00000000000..6d3ec1fdd7e
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.in.yaml
@@ -0,0 +1,61 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+services:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: envoy-gateway
+ name: grpc-backend
+ spec:
+ ports:
+ - port: 9000
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ namespace: envoy-gateway
+ port: 9000
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml
new file mode 100755
index 00000000000..50535c1a392
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml
@@ -0,0 +1,164 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ namespace: envoy-gateway
+ port: 9000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Backend ref to Service envoy-gateway/grpc-backend not permitted by
+ any ReferenceGrant
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.in.yaml
new file mode 100644
index 00000000000..eff5a17efd2
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.in.yaml
@@ -0,0 +1,52 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ namespace: envoy-gateway
+ port: 9000
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml
new file mode 100755
index 00000000000..27519cb0302
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml
@@ -0,0 +1,163 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ namespace: envoy-gateway
+ port: 9000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Service envoy-gateway/grpc-backend not found
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml
new file mode 100644
index 00000000000..21c6fab4506
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml
@@ -0,0 +1,222 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: default
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /foo
+ backendRefs:
+ - name: service-1
+ port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-2
+ spec:
+ hostnames:
+ - www.bar.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: /bar
+ backendRefs:
+ - name: service-1
+ port: 8080
+services:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: envoy-gateway
+ name: grpc-backend
+ spec:
+ ports:
+ - port: 8000
+ name: grpc
+ protocol: TCP
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: default
+ name: grpc-backend-2
+ spec:
+ ports:
+ - port: 9000
+ name: grpc
+ protocol: TCP
+endpointSlices:
+- apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-grpc-backend
+ namespace: envoy-gateway
+ labels:
+ kubernetes.io/service-name: grpc-backend
+ addressType: IPv4
+ ports:
+ - name: http
+ protocol: TCP
+ port: 8000
+ endpoints:
+ - addresses:
+ - 7.7.7.7
+ conditions:
+ ready: true
+- apiVersion: discovery.k8s.io/v1
+ kind: EndpointSlice
+ metadata:
+ name: endpointslice-grpc-backend-2
+ namespace: default
+ labels:
+ kubernetes.io/service-name: grpc-backend-2
+ addressType: IPv4
+ ports:
+ - name: grpc
+ protocol: TCP
+ port: 9000
+ endpoints:
+ - addresses:
+ - 8.8.8.8
+ conditions:
+ ready: true
+referenceGrants:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: ReferenceGrant
+ metadata:
+ namespace: envoy-gateway
+ name: referencegrant-1
+ spec:
+ from:
+ - group: gateway.envoyproxy.io
+ kind: SecurityPolicy
+ namespace: default
+ - group: gateway.networking.k8s.io
+ kind: BackendTLSPolicy
+ namespace: default
+ to:
+ - group: ''
+ kind: Service
+configMaps:
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: ca-cmap
+ namespace: default
+ data:
+ ca.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+ BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+ MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+ A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+ 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+ yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+ kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+ Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+ ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+ bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+ 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+ 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+ i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+ A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+ d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+ 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+ -----END CERTIFICATE-----
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls-grpc
+ namespace: default
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: grpc-backend
+ namespace: envoy-gateway
+ sectionName: "8000"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: grpc-backend
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls-grpc-2
+ namespace: default
+ spec:
+ targetRef:
+ group: ''
+ kind: Service
+ name: grpc-backend-2
+ sectionName: "9000"
+ tls:
+ caCertRefs:
+ - name: ca-cmap
+ group: ''
+ kind: ConfigMap
+ hostname: grpc-backend-2
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ extProc:
+ - backendRef:
+ Name: grpc-backend
+ Namespace: envoy-gateway
+ Port: 8000
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-http-route
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ extProc:
+ - backendRef:
+ Name: grpc-backend-2
+ Port: 9000
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml
new file mode 100755
index 00000000000..66063672452
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml
@@ -0,0 +1,354 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls-grpc
+ namespace: default
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: grpc-backend
+ namespace: envoy-gateway
+ sectionName: "8000"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: grpc-backend
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.envoyproxy.io
+ kind: EnvoyExtensionPolicy
+ name: policy-for-gateway
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-btls-grpc-2
+ namespace: default
+ spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: grpc-backend-2
+ sectionName: "9000"
+ tls:
+ caCertRefs:
+ - group: ""
+ kind: ConfigMap
+ name: ca-cmap
+ hostname: grpc-backend-2
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.envoyproxy.io
+ kind: EnvoyExtensionPolicy
+ name: policy-for-http-route
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-http-route
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend-2
+ port: 9000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ extProc:
+ - backendRef:
+ name: grpc-backend
+ namespace: envoy-gateway
+ port: 8000
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other envoyExtensionPolicies
+ for these routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 2
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.foo.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-2
+ namespace: default
+ spec:
+ hostnames:
+ - www.bar.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /bar
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+infraIR:
+ default/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: default/gateway-1
+xdsIR:
+ default/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ extProc:
+ - authority: grpc-backend-2.default:9000
+ destination:
+ name: envoyextensionpolicy/default/policy-for-http-route/0/grpc-backend-2
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 8.8.8.8
+ port: 9000
+ protocol: GRPC
+ tls:
+ caCertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls-grpc-2/default-ca
+ sni: grpc-backend-2
+ weight: 1
+ name: envoyextensionpolicy/default/policy-for-http-route/0
+ hostname: www.foo.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/www_foo_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ extProc:
+ - authority: grpc-backend.envoy-gateway:8000
+ destination:
+ name: envoyextensionpolicy/default/policy-for-gateway/0/grpc-backend
+ settings:
+ - addressType: IP
+ protocol: GRPC
+ tls:
+ caCertificate:
+ certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ name: policy-btls-grpc/default-ca
+ sni: grpc-backend
+ weight: 1
+ name: envoyextensionpolicy/default/policy-for-gateway/0
+ hostname: www.bar.com
+ isHTTP2: false
+ name: httproute/default/httproute-2/rule/0/match/0/www_bar_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /bar
diff --git a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml
index 9624ffcaab1..ca598b9d046 100644
--- a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml
+++ b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml
@@ -126,11 +126,11 @@ xdsIR:
weight: 1
hostname: '*'
isHTTP2: true
- name: grpcroute/default/grpcroute-1/rule/0/match/0/*
+ name: grpcroute/default/grpcroute-1/rule/0/match/1/*
pathMatch:
distinct: false
name: ""
- prefix: /com.ExampleExact
+ safeRegex: /com.[A-Z]+/[A-Za-z_][A-Za-z_0-9]*
- backendWeights:
invalid: 0
valid: 0
@@ -145,8 +145,8 @@ xdsIR:
weight: 1
hostname: '*'
isHTTP2: true
- name: grpcroute/default/grpcroute-1/rule/0/match/1/*
+ name: grpcroute/default/grpcroute-1/rule/0/match/0/*
pathMatch:
distinct: false
name: ""
- safeRegex: /com.[A-Z]+/[A-Za-z_][A-Za-z_0-9]*
+ prefix: /com.ExampleExact
diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml
new file mode 100644
index 00000000000..81e8ae3c976
--- /dev/null
+++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml
@@ -0,0 +1,45 @@
+envoyproxy:
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyProxy
+ metadata:
+ namespace: envoy-gateway-system
+ name: test
+ spec:
+ mergeGateways: true
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ port: 80
+ protocol: HTTP
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ hostname: company.com
+ port: 8888
+ protocol: HTTP
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ name: gateway-2
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http-3
+ port: 8888
+ protocol: HTTP
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-4
+ hostname: example.com
+ port: 8888
+ protocol: HTTP
diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml
new file mode 100755
index 00000000000..94ab094ec2e
--- /dev/null
+++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml
@@ -0,0 +1,210 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http
+ port: 80
+ protocol: HTTP
+ - hostname: company.com
+ name: http-2
+ port: 8888
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-2
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ name: http-3
+ port: 8888
+ protocol: HTTP
+ - hostname: example.com
+ name: http-4
+ port: 8888
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-3
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 0
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-4
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+infraIR:
+ envoy-gateway-class:
+ proxy:
+ config:
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyProxy
+ metadata:
+ creationTimestamp: null
+ name: test
+ namespace: envoy-gateway-system
+ spec:
+ logging: {}
+ mergeGateways: true
+ status: {}
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: envoy-gateway/gateway-1/http
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: envoy-gateway/gateway-1/http-2
+ ports:
+ - containerPort: 8888
+ name: envoy-gateway/gateway-1/http-2
+ protocol: HTTP
+ servicePort: 8888
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
+ name: envoy-gateway-class
+xdsIR:
+ envoy-gateway-class:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ - address: 0.0.0.0
+ hostnames:
+ - company.com
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8888
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-2/http-3
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8888
+ - address: 0.0.0.0
+ hostnames:
+ - example.com
+ isHTTP2: false
+ name: envoy-gateway/gateway-2/http-4
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 8888
diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml
new file mode 100644
index 00000000000..888c4e4b713
--- /dev/null
+++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml
@@ -0,0 +1,225 @@
+envoyproxy:
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyProxy
+ metadata:
+ namespace: envoy-gateway-system
+ name: test
+ spec:
+ mergeGateways: true
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ port: 80
+ protocol: HTTP
+ hostname: bar.example.com
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ port: 80
+ hostname: foo.example.com
+ protocol: HTTP
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ name: gateway-2
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ port: 81
+ protocol: HTTP
+ hostname: bar.example.com
+ allowedRoutes:
+ namespaces:
+ from: Same
+ - name: http-2
+ port: 81
+ hostname: foo.example.com
+ protocol: HTTP
+ allowedRoutes:
+ namespaces:
+ from: Same
+httpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - bar.example.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/"
+ backendRefs:
+ - name: service-1
+ port: 8080
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-2
+ spec:
+ hostnames:
+ - foo.example.com
+ parentRefs:
+ - namespace: default
+ name: gateway-1
+ sectionName: http-2
+ rules:
+ - matches:
+ - path:
+ value: "/"
+ backendRefs:
+ - name: service-2
+ port: 8080
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-3
+ spec:
+ hostnames:
+ - bar.example.com
+ parentRefs:
+ - namespace: default
+ name: gateway-2
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/"
+ backendRefs:
+ - name: service-1
+ port: 8080
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-4
+ spec:
+ hostnames:
+ - foo.example.com
+ parentRefs:
+ - namespace: default
+ name: gateway-2
+ sectionName: http-2
+ rules:
+ - matches:
+ - path:
+ value: "/"
+ backendRefs:
+ - name: service-2
+ port: 8080
+securityPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: default
+ name: policy-for-route-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ cors:
+ allowOrigins:
+ - "*"
+ allowMethods:
+ - GET
+ - POST
+ allowHeaders:
+ - "x-header-5"
+ - "x-header-6"
+ exposeHeaders:
+ - "x-header-7"
+ - "x-header-8"
+ maxAge: 2000s
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ namespace: default
+ name: policy-for-route-2
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-3
+ namespace: default
+ cors:
+ allowOrigins:
+ - "*"
+ allowMethods:
+ - GET
+ - POST
+ allowHeaders:
+ - "x-header-5"
+ - "x-header-6"
+ exposeHeaders:
+ - "x-header-7"
+ - "x-header-8"
+ maxAge: 2000s
+clientTrafficPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: default
+ name: target-gateway-2
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-2
+ sectionName: http
+ namespace: default
+ timeout:
+ http:
+ requestReceivedTimeout: "5s"
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ namespace: default
+ name: target-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ timeout:
+ http:
+ requestReceivedTimeout: "5s"
+backendTrafficPolicies:
+ - apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ namespace: default
+ name: policy-for-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ tcpKeepalive:
+ probes: 3
+ idleTime: 20m
+ interval: 60s
diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml
new file mode 100755
index 00000000000..15e35504f91
--- /dev/null
+++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml
@@ -0,0 +1,683 @@
+backendTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: BackendTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: default
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ tcpKeepalive:
+ idleTime: 20m
+ interval: 60s
+ probes: 3
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+clientTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway-2
+ namespace: default
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-2
+ namespace: default
+ sectionName: http
+ timeout:
+ http:
+ requestReceivedTimeout: 5s
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-2
+ namespace: default
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: ClientTrafficPolicy is being applied to multiple http (non https)
+ listeners (default/gateway-2/http-2) on the same port, which is not allowed
+ reason: Invalid
+ status: "False"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: ClientTrafficPolicy
+ metadata:
+ creationTimestamp: null
+ name: target-gateway
+ namespace: default
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ timeout:
+ http:
+ requestReceivedTimeout: 5s
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ hostname: bar.example.com
+ name: http
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ hostname: foo.example.com
+ name: http-2
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+- apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-2
+ namespace: default
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ hostname: bar.example.com
+ name: http
+ port: 81
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: Same
+ hostname: foo.example.com
+ name: http-2
+ port: 81
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http-2
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - bar.example.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-2
+ namespace: default
+ spec:
+ hostnames:
+ - foo.example.com
+ parentRefs:
+ - name: gateway-1
+ namespace: default
+ sectionName: http-2
+ rules:
+ - backendRefs:
+ - name: service-2
+ port: 8080
+ matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: default
+ sectionName: http-2
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-3
+ namespace: default
+ spec:
+ hostnames:
+ - bar.example.com
+ parentRefs:
+ - name: gateway-2
+ namespace: default
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-2
+ namespace: default
+ sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-4
+ namespace: default
+ spec:
+ hostnames:
+ - foo.example.com
+ parentRefs:
+ - name: gateway-2
+ namespace: default
+ sectionName: http-2
+ rules:
+ - backendRefs:
+ - name: service-2
+ port: 8080
+ matches:
+ - path:
+ value: /
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-2
+ namespace: default
+ sectionName: http-2
+infraIR:
+ envoy-gateway-class:
+ proxy:
+ config:
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyProxy
+ metadata:
+ creationTimestamp: null
+ name: test
+ namespace: envoy-gateway-system
+ spec:
+ logging: {}
+ mergeGateways: true
+ status: {}
+ listeners:
+ - address: null
+ name: default/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: default/gateway-1/http
+ protocol: HTTP
+ servicePort: 80
+ - address: null
+ name: default/gateway-2/http
+ ports:
+ - containerPort: 10081
+ name: default/gateway-2/http
+ protocol: HTTP
+ servicePort: 81
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
+ name: envoy-gateway-class
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-route-2
+ namespace: default
+ spec:
+ cors:
+ allowHeaders:
+ - x-header-5
+ - x-header-6
+ allowMethods:
+ - GET
+ - POST
+ allowOrigins:
+ - '*'
+ exposeHeaders:
+ - x-header-7
+ - x-header-8
+ maxAge: 33m20s
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-3
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-2
+ namespace: default
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: SecurityPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-route-1
+ namespace: default
+ spec:
+ cors:
+ allowHeaders:
+ - x-header-5
+ - x-header-6
+ allowMethods:
+ - GET
+ - POST
+ allowOrigins:
+ - '*'
+ exposeHeaders:
+ - x-header-7
+ - x-header-8
+ maxAge: 33m20s
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: default
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+xdsIR:
+ envoy-gateway-class:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - bar.example.com
+ isHTTP2: false
+ name: default/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ cors:
+ allowHeaders:
+ - x-header-5
+ - x-header-6
+ allowMethods:
+ - GET
+ - POST
+ allowOrigins:
+ - distinct: false
+ name: ""
+ safeRegex: .*
+ exposeHeaders:
+ - x-header-7
+ - x-header-8
+ maxAge: 33m20s
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: bar.example.com
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/bar_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
+ tcpKeepalive:
+ idleTime: 1200
+ interval: 60
+ probes: 3
+ timeout:
+ http:
+ requestReceivedTimeout: 5s
+ - address: 0.0.0.0
+ hostnames:
+ - foo.example.com
+ isHTTP2: false
+ name: default/gateway-1/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ cors:
+ allowHeaders:
+ - x-header-5
+ - x-header-6
+ allowMethods:
+ - GET
+ - POST
+ allowOrigins:
+ - distinct: false
+ name: ""
+ safeRegex: .*
+ exposeHeaders:
+ - x-header-7
+ - x-header-8
+ maxAge: 33m20s
+ destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: foo.example.com
+ isHTTP2: false
+ name: httproute/default/httproute-2/rule/0/match/0/foo_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
+ tcpKeepalive:
+ idleTime: 1200
+ interval: 60
+ probes: 3
+ timeout:
+ http:
+ requestReceivedTimeout: 5s
+ - address: 0.0.0.0
+ hostnames:
+ - bar.example.com
+ isHTTP2: false
+ name: default/gateway-2/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10081
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ cors:
+ allowHeaders:
+ - x-header-5
+ - x-header-6
+ allowMethods:
+ - GET
+ - POST
+ allowOrigins:
+ - distinct: false
+ name: ""
+ safeRegex: .*
+ exposeHeaders:
+ - x-header-7
+ - x-header-8
+ maxAge: 33m20s
+ destination:
+ name: httproute/default/httproute-3/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: bar.example.com
+ isHTTP2: false
+ name: httproute/default/httproute-3/rule/0/match/0/bar_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
+ - address: 0.0.0.0
+ hostnames:
+ - foo.example.com
+ isHTTP2: false
+ name: default/gateway-2/http-2
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10081
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-4/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ hostname: foo.example.com
+ isHTTP2: false
+ name: httproute/default/httproute-4/rule/0/match/0/foo_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /
diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go
index 12a5cf81743..9dc93532479 100644
--- a/internal/gatewayapi/translator.go
+++ b/internal/gatewayapi/translator.go
@@ -114,6 +114,7 @@ func newTranslateResult(gateways []*GatewayContext,
backendTrafficPolicies []*egv1a1.BackendTrafficPolicy,
securityPolicies []*egv1a1.SecurityPolicy,
backendTLSPolicies []*egv1a2.BackendTLSPolicy,
+ envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy,
xdsIR XdsIRMap, infraIR InfraIRMap) *TranslateResult {
translateResult := &TranslateResult{
XdsIR: xdsIR,
@@ -143,6 +144,7 @@ func newTranslateResult(gateways []*GatewayContext,
translateResult.BackendTrafficPolicies = append(translateResult.BackendTrafficPolicies, backendTrafficPolicies...)
translateResult.SecurityPolicies = append(translateResult.SecurityPolicies, securityPolicies...)
translateResult.BackendTLSPolicies = append(translateResult.BackendTLSPolicies, backendTLSPolicies...)
+ translateResult.EnvoyExtensionPolicies = append(translateResult.EnvoyExtensionPolicies, envoyExtensionPolicies...)
return translateResult
}
@@ -207,12 +209,17 @@ func (t *Translator) Translate(resources *Resources) *TranslateResult {
securityPolicies := t.ProcessSecurityPolicies(
resources.SecurityPolicies, gateways, routes, resources, xdsIR)
+ // Process EnvoyExtensionPolicies
+ envoyExtensionPolicies := t.ProcessEnvoyExtensionPolicies(
+ resources.EnvoyExtensionPolicies, gateways, routes, resources, xdsIR)
+
// Sort xdsIR based on the Gateway API spec
sortXdsIRMap(xdsIR)
return newTranslateResult(gateways, httpRoutes, grpcRoutes, tlsRoutes,
tcpRoutes, udpRoutes, clientTrafficPolicies, backendTrafficPolicies,
- securityPolicies, resources.BackendTLSPolicies, xdsIR, infraIR)
+ securityPolicies, resources.BackendTLSPolicies, envoyExtensionPolicies,
+ xdsIR, infraIR)
}
diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/zz_generated.deepcopy.go
index 30c6c2938b1..336498b2214 100644
--- a/internal/gatewayapi/zz_generated.deepcopy.go
+++ b/internal/gatewayapi/zz_generated.deepcopy.go
@@ -238,6 +238,17 @@ func (in *Resources) DeepCopyInto(out *Resources) {
}
}
}
+ if in.EnvoyExtensionPolicies != nil {
+ in, out := &in.EnvoyExtensionPolicies, &out.EnvoyExtensionPolicies
+ *out = make([]*apiv1alpha1.EnvoyExtensionPolicy, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(apiv1alpha1.EnvoyExtensionPolicy)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources.
diff --git a/internal/infrastructure/kubernetes/infra_client.go b/internal/infrastructure/kubernetes/infra_client.go
index e1c2a0b2b89..72141ee1126 100644
--- a/internal/infrastructure/kubernetes/infra_client.go
+++ b/internal/infrastructure/kubernetes/infra_client.go
@@ -38,8 +38,8 @@ func (cli *InfraClient) CreateOrUpdate(ctx context.Context, key client.ObjectKey
// Since the client.Object does not have a specific Spec field to compare
// just perform an update for now.
if updateChecker() {
- specific.SetUID(current.GetUID())
- if err := cli.Client.Update(ctx, specific); err != nil {
+ opts := []client.PatchOption{client.ForceOwnership, client.FieldOwner("envoy-gateway")}
+ if err := cli.Client.Patch(ctx, specific, client.Apply, opts...); err != nil {
return fmt.Errorf("for Update: %w", err)
}
}
diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go
index c0cc459da95..0e5f40191da 100644
--- a/internal/infrastructure/kubernetes/proxy/resource.go
+++ b/internal/infrastructure/kubernetes/proxy/resource.go
@@ -143,8 +143,14 @@ func expectedProxyContainers(infra *ir.ProxyInfra,
infra.Config.Spec.Telemetry != nil {
proxyMetrics = infra.Config.Spec.Telemetry.Metrics
}
+
+ maxHeapSizeBytes := caclulateMaxHeapSizeBytes(deploymentConfig.Container.Resources)
+
// Get the default Bootstrap
- bootstrapConfigurations, err := bootstrap.GetRenderedBootstrapConfig(proxyMetrics)
+ bootstrapConfigurations, err := bootstrap.GetRenderedBootstrapConfig(&bootstrap.RenderBootsrapConfigOptions{
+ ProxyMetrics: proxyMetrics,
+ MaxHeapSizeBytes: maxHeapSizeBytes,
+ })
if err != nil {
return nil, err
}
@@ -389,3 +395,18 @@ func expectedContainerEnv(containerSpec *egv1a1.KubernetesContainerSpec) []corev
return env
}
}
+
+// caclulateMaxHeapSizeBytes calculates the maximum heap size in bytes as 80% of Envoy container memory limits.
+// In case no limits are defined '0' is returned, which means no heap size limit is set.
+func caclulateMaxHeapSizeBytes(envoyResourceRequirements *corev1.ResourceRequirements) uint64 {
+ if envoyResourceRequirements == nil || envoyResourceRequirements.Limits == nil {
+ return 0
+ }
+
+ if memLimit, ok := envoyResourceRequirements.Limits[corev1.ResourceMemory]; ok {
+ memLimitBytes := memLimit.Value()
+ return uint64(float64(memLimitBytes) * 0.8)
+ }
+
+ return 0
+}
diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go
index 8f08c81084c..3b105cc96c3 100644
--- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go
+++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go
@@ -497,6 +497,19 @@ func TestDeployment(t *testing.T) {
infra: newTestInfra(),
extraArgs: []string{"--key1 val1", "--key2 val2"},
},
+ {
+ caseName: "with-empty-memory-limits",
+ infra: newTestInfra(),
+ deploy: &egv1a1.KubernetesDeploymentSpec{
+ Container: &egv1a1.KubernetesContainerSpec{
+ Resources: &corev1.ResourceRequirements{
+ Limits: corev1.ResourceList{
+ corev1.ResourceCPU: resource.MustParse("400m"),
+ },
+ },
+ },
+ },
+ },
}
for _, tc := range cases {
t.Run(tc.caseName, func(t *testing.T) {
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
index e26fd3bb243..a2b36699624 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
@@ -168,6 +168,28 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: 1717986918
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
index f02af889f68..2a179f2e7b4 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
@@ -168,6 +168,28 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: 1717986918
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml
index 04221e4729e..c255d72fee5 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml
@@ -166,6 +166,28 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: 1717986918
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml
index 0494805da44..68730b25dca 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml
index dd9f7589afe..a048b3247b6 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml
@@ -139,6 +139,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml
index 17067fe31c1..56cc469846f 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml
@@ -166,6 +166,28 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: 1717986918
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml
index f94e7d60edc..398deeefc8f 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml
@@ -176,6 +176,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml
index f21cea60099..f47f6b5e114 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml
index 94db8632dbb..66709926358 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
- --drain-time-s 30
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml
index b663085188e..a452cb55c8a 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml
@@ -166,6 +166,28 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: 1717986918
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml
index 0fa8f3154d1..d56f8a2b267 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml
@@ -170,6 +170,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml
new file mode 100644
index 00000000000..050ed47b5d3
--- /dev/null
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml
@@ -0,0 +1,299 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ name: envoy-default-37a8eec1
+ namespace: envoy-gateway-system
+spec:
+ progressDeadlineSeconds: 600
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ strategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "19001"
+ prometheus.io/scrape: "true"
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: proxy
+ app.kubernetes.io/managed-by: envoy-gateway
+ app.kubernetes.io/name: envoy
+ gateway.envoyproxy.io/owning-gateway-name: default
+ gateway.envoyproxy.io/owning-gateway-namespace: default
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - --service-cluster default
+ - --service-node $(ENVOY_POD_NAME)
+ - |
+ --config-yaml admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+ dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+ static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - --log-level warn
+ - --cpuset-threads
+ command:
+ - envoy
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/envoy:distroless-dev
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ httpGet:
+ path: /shutdown/ready
+ port: 19002
+ scheme: HTTP
+ name: envoy
+ ports:
+ - containerPort: 8080
+ name: EnvoyH-d76a15e2
+ protocol: TCP
+ - containerPort: 8443
+ name: EnvoyH-6658f727
+ protocol: TCP
+ - containerPort: 19001
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 400m
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ - mountPath: /sds
+ name: sds
+ - args:
+ - envoy
+ - shutdown-manager
+ command:
+ - envoy-gateway
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: ENVOY_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ image: envoyproxy/gateway-dev:latest
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - envoy-gateway
+ - envoy
+ - shutdown
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: shutdown-manager
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 19002
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ serviceAccountName: envoy-default-37a8eec1
+ terminationGracePeriodSeconds: 900
+ volumes:
+ - name: certs
+ secret:
+ defaultMode: 420
+ secretName: envoy
+ - configMap:
+ defaultMode: 420
+ items:
+ - key: xds-trusted-ca.json
+ path: xds-trusted-ca.json
+ - key: xds-certificate.json
+ path: xds-certificate.json
+ name: envoy-default-37a8eec1
+ optional: false
+ name: sds
+status: {}
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml
index 82ae60063a3..b077bd33364 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
- --key1 val1
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
index d42d7c43ef6..13cdfe76c1a 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml
index d3ca7b694cf..5e7d0144baf 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml
index 775076ec0d8..44d3bcfdb4e 100644
--- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml
+++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml
@@ -165,6 +165,13 @@ spec:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+ overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
- --log-level warn
- --cpuset-threads
command:
diff --git a/internal/infrastructure/kubernetes/proxy_configmap_test.go b/internal/infrastructure/kubernetes/proxy_configmap_test.go
index 2d99048a6d5..4df19b223f2 100644
--- a/internal/infrastructure/kubernetes/proxy_configmap_test.go
+++ b/internal/infrastructure/kubernetes/proxy_configmap_test.go
@@ -99,9 +99,16 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
var cli client.Client
if tc.current != nil {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.current).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithObjects(tc.current).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
} else {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
}
kube := NewInfra(cli, cfg)
r := proxy.NewResourceRender(kube.Namespace, infra.GetProxyInfra())
diff --git a/internal/infrastructure/kubernetes/proxy_deployment_test.go b/internal/infrastructure/kubernetes/proxy_deployment_test.go
index 5dda2a8be7a..eb5411fc3ef 100644
--- a/internal/infrastructure/kubernetes/proxy_deployment_test.go
+++ b/internal/infrastructure/kubernetes/proxy_deployment_test.go
@@ -106,9 +106,16 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
var cli client.Client
if tc.current != nil {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.current).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithObjects(tc.current).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
} else {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
}
kube := NewInfra(cli, cfg)
diff --git a/internal/infrastructure/kubernetes/proxy_infra_test.go b/internal/infrastructure/kubernetes/proxy_infra_test.go
index 9d3d2fe98ea..d39f8059799 100644
--- a/internal/infrastructure/kubernetes/proxy_infra_test.go
+++ b/internal/infrastructure/kubernetes/proxy_infra_test.go
@@ -7,6 +7,8 @@ package kubernetes
import (
"context"
+ "errors"
+ "fmt"
"reflect"
"testing"
@@ -14,9 +16,12 @@ import (
"github.com/stretchr/testify/require"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
+ "sigs.k8s.io/controller-runtime/pkg/client/interceptor"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
@@ -28,10 +33,42 @@ import (
)
func newTestInfra(t *testing.T) *Infra {
- cli := fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).Build()
+ cli := fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
return newTestInfraWithClient(t, cli)
}
+// Borrowing the interceptor from https://github.com/istio/istio/blob/2f54c6a52a5c6661d5eb9bd2277aab77304fee45/operator/pkg/helmreconciler/apply_test.go#L40
+// Interceptor is used for ApplyPatch as of this patch is not yet supported by the fake client, see https://github.com/kubernetes/kubernetes/issues/99953
+var interceptorFunc = interceptor.Funcs{Patch: func(
+ ctx context.Context,
+ clnt client.WithWatch,
+ obj client.Object,
+ patch client.Patch,
+ opts ...client.PatchOption,
+) error {
+ // Apply patches are supposed to upsert, but fake client fails if the object doesn't exist,
+ // if an apply patch occurs for an object that doesn't yet exist, create it.
+ if patch.Type() != types.ApplyPatchType {
+ return clnt.Patch(ctx, obj, patch, opts...)
+ }
+ check, ok := obj.DeepCopyObject().(client.Object)
+ if !ok {
+ return errors.New("could not check for object in fake client")
+ }
+ if err := clnt.Get(ctx, client.ObjectKeyFromObject(obj), check); kerrors.IsNotFound(err) {
+ if err := clnt.Create(ctx, check); err != nil {
+ return fmt.Errorf("could not inject object creation for fake: %w", err)
+ }
+ } else if err != nil {
+ return err
+ }
+ obj.SetResourceVersion(check.GetResourceVersion())
+ return clnt.Update(ctx, obj)
+}}
+
func TestCmpBytes(t *testing.T) {
m1 := map[string][]byte{}
m1["a"] = []byte("aaa")
diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go
index 0cde399a2df..abed92cbccb 100644
--- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go
+++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go
@@ -174,9 +174,16 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) {
var cli client.Client
if tc.current != nil {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.current).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithObjects(tc.current).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
} else {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
}
kube := NewInfra(cli, cfg)
diff --git a/internal/infrastructure/kubernetes/ratelimit_deployment_test.go b/internal/infrastructure/kubernetes/ratelimit_deployment_test.go
index bfb444880f6..d57e003d383 100644
--- a/internal/infrastructure/kubernetes/ratelimit_deployment_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit_deployment_test.go
@@ -68,9 +68,16 @@ func TestCreateOrUpdateRateLimitDeployment(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
var cli client.Client
if tc.current != nil {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.current).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithObjects(tc.current).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
} else {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
}
kube := NewInfra(cli, cfg)
diff --git a/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go b/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go
index 215c091fb36..53084f6620d 100644
--- a/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go
+++ b/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go
@@ -92,9 +92,16 @@ func TestCreateOrUpdateRateLimitServiceAccount(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
var cli client.Client
if tc.current != nil {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.current).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithObjects(tc.current).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
} else {
- cli = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).Build()
+ cli = fakeclient.NewClientBuilder().
+ WithScheme(envoygateway.GetScheme()).
+ WithInterceptorFuncs(interceptorFunc).
+ Build()
}
cfg, err := config.New()
diff --git a/internal/infrastructure/runner/runner.go b/internal/infrastructure/runner/runner.go
index 452e346f174..8da18e46443 100644
--- a/internal/infrastructure/runner/runner.go
+++ b/internal/infrastructure/runner/runner.go
@@ -8,6 +8,8 @@ package runner
import (
"context"
+ "k8s.io/utils/ptr"
+
"github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/envoygateway/config"
"github.com/envoyproxy/gateway/internal/infrastructure"
@@ -41,14 +43,31 @@ func (r *Runner) Start(ctx context.Context) (err error) {
r.Logger.Error(err, "failed to create new manager")
return err
}
- go r.subscribeToProxyInfraIR(ctx)
- // Enable global ratelimit if it has been configured.
- if r.EnvoyGateway.RateLimit != nil {
- go r.enableRateLimitInfra(ctx)
+ var initInfra = func() {
+ go r.subscribeToProxyInfraIR(ctx)
+
+ // Enable global ratelimit if it has been configured.
+ if r.EnvoyGateway.RateLimit != nil {
+ go r.enableRateLimitInfra(ctx)
+ }
+ r.Logger.Info("started")
}
- r.Logger.Info("started")
+ // When leader election is active, infrastructure initialization occurs only upon acquiring leadership
+ // to avoid multiple EG instances processing envoy proxy infra resources.
+ if !ptr.Deref(r.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) {
+ go func() {
+ select {
+ case <-ctx.Done():
+ return
+ case <-r.Elected:
+ initInfra()
+ }
+ }()
+ return
+ }
+ initInfra()
return
}
@@ -66,6 +85,11 @@ func (r *Runner) subscribeToProxyInfraIR(ctx context.Context) {
}
} else {
// Manage the proxy infra.
+ if len(val.Proxy.Listeners) == 0 {
+ r.Logger.Info("Infra IR was updated, but no listeners were found. Skipping infra creation.")
+ return
+ }
+
if err := r.mgr.CreateOrUpdateProxyInfra(ctx, val); err != nil {
r.Logger.Error(err, "failed to create new infra")
errChan <- err
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
index 86664e59567..abe5d59b6b9 100644
--- a/internal/ir/xds.go
+++ b/internal/ir/xds.go
@@ -54,6 +54,7 @@ var (
ErrHealthCheckUnhealthyThresholdInvalid = errors.New("field HealthCheck.UnhealthyThreshold should be greater than 0")
ErrHealthCheckHealthyThresholdInvalid = errors.New("field HealthCheck.HealthyThreshold should be greater than 0")
ErrHealthCheckerInvalid = errors.New("health checker setting is invalid, only one health checker can be set")
+ ErrHCHTTPHostInvalid = errors.New("field HTTPHealthChecker.Host should be specified")
ErrHCHTTPPathInvalid = errors.New("field HTTPHealthChecker.Path should be specified")
ErrHCHTTPMethodInvalid = errors.New("only one of the GET, HEAD, POST, DELETE, OPTIONS, TRACE, PATCH of HTTPHealthChecker.Method could be set")
ErrHCHTTPExpectedStatusesInvalid = errors.New("field HTTPHealthChecker.ExpectedStatuses should be specified")
@@ -361,6 +362,14 @@ type PathSettings struct {
EscapedSlashesAction PathEscapedSlashAction `json:"escapedSlashesAction" yaml:"escapedSlashesAction"`
}
+type WithUnderscoresAction egv1a1.WithUnderscoresAction
+
+const (
+ WithUnderscoresActionAllow = WithUnderscoresAction(egv1a1.WithUnderscoresActionAllow)
+ WithUnderscoresActionRejectRequest = WithUnderscoresAction(egv1a1.WithUnderscoresActionRejectRequest)
+ WithUnderscoresActionDropHeader = WithUnderscoresAction(egv1a1.WithUnderscoresActionDropHeader)
+)
+
// ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
// +k8s:deepcopy-gen=true
type ClientIPDetectionSettings egv1a1.ClientIPDetectionSettings
@@ -394,6 +403,11 @@ type HeaderSettings struct {
// The default is to suppress these headers.
// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extensions-filters-http-router-v3-router
EnableEnvoyHeaders bool `json:"enableEnvoyHeaders,omitempty" yaml:"enableEnvoyHeaders,omitempty"`
+
+ // WithUnderscoresAction configures the action to take when an HTTP header with underscores
+ // is encountered. The default action is to reject the request.
+ // Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-enum-config-core-v3-httpprotocoloptions-headerswithunderscoresaction
+ WithUnderscoresAction WithUnderscoresAction `json:"withUnderscoresAction,omitempty" yaml:"withUnderscoresAction,omitempty"`
}
// ClientTimeout sets the timeout configuration for downstream connections
@@ -409,6 +423,8 @@ type HTTPClientTimeout struct {
// The duration envoy waits for the complete request reception. This timer starts upon request
// initiation and stops when either the last byte of the request is sent upstream or when the response begins.
RequestReceivedTimeout *metav1.Duration `json:"requestReceivedTimeout,omitempty" yaml:"requestReceivedTimeout,omitempty"`
+ // IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ IdleTimeout *metav1.Duration `json:"idleTimeout,omitempty" yaml:"idleTimeout,omitempty"`
}
// HTTPRoute holds the route information associated with the HTTP Route
@@ -477,6 +493,8 @@ type HTTPRoute struct {
TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty" yaml:"tcpKeepalive,omitempty"`
// Retry settings
Retry *Retry `json:"retry,omitempty" yaml:"retry,omitempty"`
+ // External Processing extensions
+ ExtProcs []ExtProc `json:"extProc,omitempty" yaml:"extProc,omitempty"`
}
// UnstructuredRef holds unstructured data for an arbitrary k8s resource introduced by an extension
@@ -1538,6 +1556,12 @@ type ActiveHealthCheck struct {
TCP *TCPHealthChecker `json:"tcp,omitempty" yaml:"tcp,omitempty"`
}
+func (h *HealthCheck) SetHTTPHostIfAbsent(host string) {
+ if h != nil && h.Active != nil && h.Active.HTTP != nil && h.Active.HTTP.Host == "" {
+ h.Active.HTTP.Host = host
+ }
+}
+
// Validate the fields within the HealthCheck structure.
func (h *HealthCheck) Validate() error {
var errs error
@@ -1594,6 +1618,8 @@ func (h *HealthCheck) Validate() error {
// HTTPHealthChecker defines the settings of http health check.
// +k8s:deepcopy-gen=true
type HTTPHealthChecker struct {
+ // Host defines the value of the host header in the HTTP health check request.
+ Host string `json:"host" yaml:"host"`
// Path defines the HTTP path that will be requested during health checking.
Path string `json:"path" yaml:"path"`
// Method defines the HTTP method used for health checking.
@@ -1607,6 +1633,9 @@ type HTTPHealthChecker struct {
// Validate the fields within the HTTPHealthChecker structure.
func (c *HTTPHealthChecker) Validate() error {
var errs error
+ if c.Host == "" {
+ errs = errors.Join(errs, ErrHCHTTPHostInvalid)
+ }
if c.Path == "" {
errs = errors.Join(errs, ErrHCHTTPPathInvalid)
}
@@ -1793,8 +1822,11 @@ type TLSUpstreamConfig struct {
// Connection settings for downstream connections
// +k8s:deepcopy-gen=true
type Connection struct {
- // Limit for number of connections
- Limit *ConnectionLimit `json:"limit,omitempty" yaml:"limit,omitempty"`
+ //
+ // ConnectionLimit is the limit of number of connections
+ ConnectionLimit *ConnectionLimit `json:"limit,omitempty" yaml:"limit,omitempty"`
+ // BufferLimitBytes is the maximum number of bytes that can be buffered for a connection.
+ BufferLimitBytes *uint32 `json:"bufferLimit,omitempty" yaml:"bufferLimit,omitempty"`
}
// ConnectionLimit contains settings for downstream connection limits
@@ -1808,3 +1840,17 @@ type ConnectionLimit struct {
// once the limit value is reached.
CloseDelay *metav1.Duration `json:"closeDelay,omitempty" yaml:"closeDelay,omitempty"`
}
+
+// ExtProc holds the information associated with the ExtProc extensions.
+// +k8s:deepcopy-gen=true
+type ExtProc struct {
+ // Name is a unique name for an ExtProc configuration.
+ // The xds translator only generates one ExtProc filter for each unique name.
+ Name string `json:"name" yaml:"name"`
+
+ // Destination defines the destination for the gRPC External Processing service.
+ Destination RouteDestination `json:"destination"`
+
+ // Authority is the hostname:port of the HTTP External Processing service.
+ Authority string `json:"authority"`
+}
diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go
index c9f2bed7411..2f4d9a46a33 100644
--- a/internal/ir/xds_test.go
+++ b/internal/ir/xds_test.go
@@ -1257,6 +1257,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To[uint32](3),
HealthyThreshold: ptr.To[uint32](3),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
ExpectedStatuses: []HTTPStatus{200, 400},
},
@@ -1273,6 +1274,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To[uint32](3),
HealthyThreshold: ptr.To[uint32](3),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodGet),
ExpectedStatuses: []HTTPStatus{200, 400},
@@ -1290,6 +1292,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To[uint32](0),
HealthyThreshold: ptr.To[uint32](3),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodPatch),
ExpectedStatuses: []HTTPStatus{200, 400},
@@ -1307,6 +1310,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To[uint32](3),
HealthyThreshold: ptr.To[uint32](0),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodPost),
ExpectedStatuses: []HTTPStatus{200, 400},
@@ -1316,6 +1320,23 @@ func TestValidateHealthCheck(t *testing.T) {
},
want: ErrHealthCheckHealthyThresholdInvalid,
},
+ {
+ name: "http-health-check: invalid host",
+ input: HealthCheck{&ActiveHealthCheck{
+ Timeout: &metav1.Duration{Duration: time.Second},
+ Interval: &metav1.Duration{Duration: time.Second},
+ UnhealthyThreshold: ptr.To[uint32](3),
+ HealthyThreshold: ptr.To[uint32](3),
+ HTTP: &HTTPHealthChecker{
+ Path: "/healthz",
+ Method: ptr.To(http.MethodPut),
+ ExpectedStatuses: []HTTPStatus{200, 400},
+ },
+ },
+ &OutlierDetection{},
+ },
+ want: ErrHCHTTPHostInvalid,
+ },
{
name: "http-health-check: invalid path",
input: HealthCheck{&ActiveHealthCheck{
@@ -1324,6 +1345,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To[uint32](3),
HealthyThreshold: ptr.To[uint32](3),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "",
Method: ptr.To(http.MethodPut),
ExpectedStatuses: []HTTPStatus{200, 400},
@@ -1341,6 +1363,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To(uint32(3)),
HealthyThreshold: ptr.To(uint32(3)),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodConnect),
ExpectedStatuses: []HTTPStatus{200, 400},
@@ -1358,6 +1381,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To(uint32(3)),
HealthyThreshold: ptr.To(uint32(3)),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodDelete),
ExpectedStatuses: []HTTPStatus{},
@@ -1375,6 +1399,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To(uint32(3)),
HealthyThreshold: ptr.To(uint32(3)),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodHead),
ExpectedStatuses: []HTTPStatus{100, 600},
@@ -1392,6 +1417,7 @@ func TestValidateHealthCheck(t *testing.T) {
UnhealthyThreshold: ptr.To(uint32(3)),
HealthyThreshold: ptr.To(uint32(3)),
HTTP: &HTTPHealthChecker{
+ Host: "*",
Path: "/healthz",
Method: ptr.To(http.MethodOptions),
ExpectedStatuses: []HTTPStatus{200, 300},
diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go
index b1035316c36..34d00d3eb48 100644
--- a/internal/ir/zz_generated.deepcopy.go
+++ b/internal/ir/zz_generated.deepcopy.go
@@ -303,11 +303,16 @@ func (in *ClientTimeout) DeepCopy() *ClientTimeout {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Connection) DeepCopyInto(out *Connection) {
*out = *in
- if in.Limit != nil {
- in, out := &in.Limit, &out.Limit
+ if in.ConnectionLimit != nil {
+ in, out := &in.ConnectionLimit, &out.ConnectionLimit
*out = new(ConnectionLimit)
(*in).DeepCopyInto(*out)
}
+ if in.BufferLimitBytes != nil {
+ in, out := &in.BufferLimitBytes, &out.BufferLimitBytes
+ *out = new(uint32)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connection.
@@ -523,6 +528,22 @@ func (in *ExtAuth) DeepCopy() *ExtAuth {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExtProc) DeepCopyInto(out *ExtProc) {
+ *out = *in
+ in.Destination.DeepCopyInto(&out.Destination)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProc.
+func (in *ExtProc) DeepCopy() *ExtProc {
+ if in == nil {
+ return nil
+ }
+ out := new(ExtProc)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FaultInjection) DeepCopyInto(out *FaultInjection) {
*out = *in
@@ -693,6 +714,11 @@ func (in *HTTPClientTimeout) DeepCopyInto(out *HTTPClientTimeout) {
*out = new(v1.Duration)
**out = **in
}
+ if in.IdleTimeout != nil {
+ in, out := &in.IdleTimeout, &out.IdleTimeout
+ *out = new(v1.Duration)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPClientTimeout.
@@ -1016,6 +1042,13 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) {
*out = new(Retry)
(*in).DeepCopyInto(*out)
}
+ if in.ExtProcs != nil {
+ in, out := &in.ExtProcs, &out.ExtProcs
+ *out = make([]ExtProc, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRoute.
diff --git a/internal/message/types.go b/internal/message/types.go
index 2ce936442a6..9db1b824f81 100644
--- a/internal/message/types.go
+++ b/internal/message/types.go
@@ -94,6 +94,7 @@ type PolicyStatuses struct {
EnvoyPatchPolicyStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.PolicyStatus]
SecurityPolicyStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.PolicyStatus]
BackendTLSPolicyStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.PolicyStatus]
+ EnvoyExtensionPolicyStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.PolicyStatus]
}
func (p *PolicyStatuses) Close() {
@@ -101,6 +102,7 @@ func (p *PolicyStatuses) Close() {
p.SecurityPolicyStatuses.Close()
p.EnvoyPatchPolicyStatuses.Close()
p.BackendTLSPolicyStatuses.Close()
+ p.EnvoyExtensionPolicyStatuses.Close()
}
// XdsIR message
diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go
new file mode 100644
index 00000000000..560141c6266
--- /dev/null
+++ b/internal/metrics/metrics_test.go
@@ -0,0 +1,274 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package metrics
+
+import (
+ "bytes"
+ "context"
+ "encoding/json"
+ "errors"
+ "flag"
+ "fmt"
+ "io"
+ "os"
+ "reflect"
+ "strings"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/require"
+ "go.opentelemetry.io/otel"
+ "go.opentelemetry.io/otel/attribute"
+ "go.opentelemetry.io/otel/exporters/stdout/stdoutmetric"
+ "go.opentelemetry.io/otel/sdk/metric"
+ "go.opentelemetry.io/otel/sdk/metric/metricdata"
+ "go.opentelemetry.io/otel/sdk/resource"
+ semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+)
+
+var (
+ overrideTestData = flag.Bool("override-testdata", false, "if override the test output data.")
+)
+
+func TestCounter(t *testing.T) {
+
+ name := "counter_metric"
+
+ var writer io.ReadWriter = bytes.NewBuffer(nil)
+ writer, err := exporterWriter(name, writer)
+ require.NoError(t, err)
+
+ counterProvider, err := newTestMetricsProvider("Counter", writer)
+ require.NoError(t, err)
+
+ // simulate a function that builds an indicator and changes its value
+ metricsFunc := []func(){
+ func() {
+ metricName := "ir_updates_total"
+ description := "Total Number of IR updates, by ir type"
+
+ irCounter := NewCounter(
+ metricName,
+ description,
+ )
+
+ // increment on every xds ir update
+ irCounter.With(NewLabel("ir-type").Value("xds")).Increment()
+ // xds ir updates double
+ irCounter.With(NewLabel("ir-type").Value("xds")).Add(2)
+ },
+ func() {
+ name := "watchable_subscribed_total"
+ description := "Total Number of IR updates, by ir type"
+
+ subCounter := NewCounter(
+ name,
+ description,
+ )
+
+ // increment on every xds ir subscribed
+ subCounter.With(NewLabel("ir-type").Value("xds")).Add(2)
+ // xds ir updates double
+ subCounter.With(NewLabel("ir-type").Value("xds")).Add(5)
+ },
+ }
+ for _, f := range metricsFunc {
+ f()
+ }
+
+ // Ensure that metrics data can be flushed by closing the provider
+ err = counterProvider.Shutdown(context.Background())
+ require.NoError(t, err)
+
+ loadMetricsFile(t, name, writer)
+}
+
+func TestGauge(t *testing.T) {
+
+ name := "gauge_metric"
+
+ var writer io.ReadWriter = bytes.NewBuffer(nil)
+ writer, err := exporterWriter(name, writer)
+ require.NoError(t, err)
+
+ gaugeProvider, err := newTestMetricsProvider("Gauge", writer)
+ require.NoError(t, err)
+
+ // simulate a function that builds an indicator and changes its value
+ metricsFunc := []func(){
+ func() {
+ metricName := "current_irs_queue_num"
+ description := "current number of ir in queue, by ir type"
+
+ currentIRsNum := NewGauge(
+ metricName,
+ description,
+ )
+
+ // only the last recorded value (2) will be exported for this gauge
+ currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(1)
+ currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(3)
+ currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(2)
+
+ currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(1)
+ currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(3)
+ currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(2)
+ },
+ }
+ for _, f := range metricsFunc {
+ f()
+ }
+
+ // Ensure that metrics data can be flushed by closing the provider
+ err = gaugeProvider.Shutdown(context.Background())
+ require.NoError(t, err)
+
+ loadMetricsFile(t, name, writer)
+}
+
+func TestHistogram(t *testing.T) {
+
+ name := "histogram_metric"
+
+ var writer io.ReadWriter = bytes.NewBuffer(nil)
+ writer, err := exporterWriter(name, writer)
+ require.NoError(t, err)
+
+ histogramProvider, err := newTestMetricsProvider("Histogram", writer)
+ require.NoError(t, err)
+
+ // simulate a function that builds an indicator and changes its value
+ metricsFunc := []func(){
+ func() {
+ metricName := "sent_bytes_total"
+ description := "Histogram of sent bytes by method"
+
+ sentBytes := NewHistogram(
+ metricName,
+ description,
+ []float64{10, 50, 100, 1000, 10000},
+ WithUnit(Bytes),
+ )
+
+ // This will hit Bounds of 25,500 and 2500
+ sentBytes.With(NewLabel("method").Value("/request/path/1")).Record(20)
+ sentBytes.With(NewLabel("method").Value("/request/path/1")).Record(458)
+ sentBytes.With(NewLabel("method").Value("/request/path/1")).Record(2000)
+ },
+ }
+ for _, f := range metricsFunc {
+ f()
+ }
+
+ // Ensure that metrics data can be flushed by closing the provider
+ err = histogramProvider.Shutdown(context.Background())
+ require.NoError(t, err)
+
+ loadMetricsFile(t, name, writer)
+}
+
+// newTestMetricsProvider Create an OTEL Metrics Provider for testing use only
+func newTestMetricsProvider(metricType string, writer io.Writer) (*metric.MeterProvider, error) {
+ enc := json.NewEncoder(writer)
+ enc.SetIndent("", " ")
+
+ stdExp, err := stdoutmetric.New(
+ stdoutmetric.WithEncoder(
+ &jsonEncoderWithoutTime{
+ encoder: enc,
+ },
+ ),
+ )
+ if err != nil {
+ return nil, err
+ }
+
+ p := metric.NewMeterProvider(
+ metric.WithReader(metric.NewPeriodicReader(stdExp)),
+ metric.WithResource(resource.NewSchemaless(
+ semconv.ServiceName("test"),
+ attribute.String("metric.type", metricType),
+ )),
+ )
+ otel.SetMeterProvider(p)
+
+ return p, nil
+}
+
+func loadMetricsFile(t *testing.T, name string, reader io.Reader) {
+ if !*overrideTestData {
+ fname := fmt.Sprintf("testdata/%s.json", name)
+
+ // nolint:gosec
+ f, err := os.ReadFile(fname)
+ require.NoError(t, err)
+
+ actual := reader.(*bytes.Buffer).String()
+ // we set the json encoder indent, so we need to remove the "\r" from the read file
+ expect := strings.ReplaceAll(string(f), "\r", "")
+
+ require.Equal(t, expect, actual)
+ }
+}
+
+func exporterWriter(name string, origin io.ReadWriter) (io.ReadWriter, error) {
+ if *overrideTestData {
+ fname := fmt.Sprintf("testdata/%s.json", name)
+
+ // nolint:gosec
+ f, err := os.OpenFile(fname, os.O_CREATE|os.O_RDWR, 0644)
+ if err != nil {
+ return nil, err
+ }
+ return f, nil
+ }
+
+ return origin, nil
+}
+
+// jsonEncoderWithoutTime Is a JSON Encoder that zeroed out the ResourceMetrics time
+// WARNING: This can only be used in the ResourceMetrics serialization when testing a metric!
+type jsonEncoderWithoutTime struct {
+ encoder *json.Encoder
+}
+
+func (enc *jsonEncoderWithoutTime) Encode(v any) error {
+ data, ok := v.(*metricdata.ResourceMetrics)
+ if !ok {
+ return fmt.Errorf("object of type %T is not ResourceMetrics", data)
+ }
+
+ // Since to the presence of time information in metrics, it prevents us from performing comparisons.
+ // In practice, when testing whether metrics are output as expected,
+ // we are not overly concerned with the value of time,
+ // but rather focus on the attributes and values of the metrics.
+ // In serialization, we always set the Time/StartTime fields to zero value.
+ for _, sm := range data.ScopeMetrics {
+ for _, m := range sm.Metrics {
+ val := reflect.ValueOf(m.Data).FieldByName("DataPoints")
+ for i := 0; i < val.Len(); i++ {
+ field := val.Index(i)
+ if exist := func(reflect.Value) bool {
+ var updated bool
+ if !field.FieldByName("Time").IsZero() && field.IsValid() && field.CanSet() {
+ field.FieldByName("Time").Set(reflect.ValueOf(time.Time{}))
+ updated = true
+ }
+ if !field.FieldByName("StartTime").IsZero() && field.IsValid() && field.CanSet() {
+ field.FieldByName("StartTime").Set(reflect.ValueOf(time.Time{}))
+ updated = true
+ }
+ return updated
+ }(field); !exist {
+ return errors.New("failed to set the Time or StartTime field value")
+ }
+
+ }
+ }
+ }
+
+ return enc.encoder.Encode(data)
+}
diff --git a/internal/metrics/sample_counter_test.go b/internal/metrics/sample_counter_test.go
deleted file mode 100644
index ffd3a18aac3..00000000000
--- a/internal/metrics/sample_counter_test.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright Envoy Gateway Authors
-// SPDX-License-Identifier: Apache-2.0
-// The full text of the Apache license is available in the LICENSE file at
-// the root of the repo.
-
-package metrics_test
-
-import "github.com/envoyproxy/gateway/internal/metrics"
-
-var (
- irUpdates = metrics.NewCounter(
- "ir_updates_total",
- "Number of IR updates, by ir type",
- )
-)
-
-func NewCounter() {
- // increment on every xds ir update
- irUpdates.With(irType.Value("xds")).Increment()
-
- // xds ir updates double
- irUpdates.With(irType.Value("xds")).Add(2)
-}
diff --git a/internal/metrics/sample_gauge_test.go b/internal/metrics/sample_gauge_test.go
deleted file mode 100644
index 6b287ed9ca1..00000000000
--- a/internal/metrics/sample_gauge_test.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright Envoy Gateway Authors
-// SPDX-License-Identifier: Apache-2.0
-// The full text of the Apache license is available in the LICENSE file at
-// the root of the repo.
-
-package metrics_test
-
-import "github.com/envoyproxy/gateway/internal/metrics"
-
-var (
- irType = metrics.NewLabel("ir-type")
- currentIRsNum = metrics.NewGauge(
- "current_irs_queue_num",
- "current number of ir in queue, by ir type",
- )
-)
-
-func NewGauge() {
- // only the last recorded value (2) will be exported for this gauge
- currentIRsNum.With(irType.Value("xds")).Record(1)
- currentIRsNum.With(irType.Value("xds")).Record(3)
- currentIRsNum.With(irType.Value("xds")).Record(2)
-
- currentIRsNum.With(irType.Value("infra")).Record(1)
- currentIRsNum.With(irType.Value("infra")).Record(3)
- currentIRsNum.With(irType.Value("infra")).Record(2)
-}
diff --git a/internal/metrics/sample_histogram_test.go b/internal/metrics/sample_histogram_test.go
deleted file mode 100644
index b34658fcbe5..00000000000
--- a/internal/metrics/sample_histogram_test.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright Envoy Gateway Authors
-// SPDX-License-Identifier: Apache-2.0
-// The full text of the Apache license is available in the LICENSE file at
-// the root of the repo.
-
-package metrics_test
-
-import "github.com/envoyproxy/gateway/internal/metrics"
-
-var (
- method = metrics.NewLabel("method")
-
- sentBytes = metrics.NewHistogram(
- "sent_bytes_total",
- "Histogram of sent bytes by method",
- []float64{10, 50, 100, 1000, 10000},
- metrics.WithUnit(metrics.Bytes),
- )
-)
-
-func NewHistogram() {
- sentBytes.With(method.Value("/request/path/1")).Record(458)
-}
diff --git a/internal/metrics/testdata/counter_metric.json b/internal/metrics/testdata/counter_metric.json
new file mode 100644
index 00000000000..2c1859a3d45
--- /dev/null
+++ b/internal/metrics/testdata/counter_metric.json
@@ -0,0 +1,79 @@
+{
+ "Resource": [
+ {
+ "Key": "metric.type",
+ "Value": {
+ "Type": "STRING",
+ "Value": "Counter"
+ }
+ },
+ {
+ "Key": "service.name",
+ "Value": {
+ "Type": "STRING",
+ "Value": "test"
+ }
+ }
+ ],
+ "ScopeMetrics": [
+ {
+ "Scope": {
+ "Name": "envoy-gateway",
+ "Version": "",
+ "SchemaURL": ""
+ },
+ "Metrics": [
+ {
+ "Name": "ir_updates_total",
+ "Description": "Total Number of IR updates, by ir type",
+ "Unit": "1",
+ "Data": {
+ "DataPoints": [
+ {
+ "Attributes": [
+ {
+ "Key": "ir-type",
+ "Value": {
+ "Type": "STRING",
+ "Value": "xds"
+ }
+ }
+ ],
+ "StartTime": "0001-01-01T00:00:00Z",
+ "Time": "0001-01-01T00:00:00Z",
+ "Value": 3
+ }
+ ],
+ "Temporality": "CumulativeTemporality",
+ "IsMonotonic": true
+ }
+ },
+ {
+ "Name": "watchable_subscribed_total",
+ "Description": "Total Number of IR updates, by ir type",
+ "Unit": "1",
+ "Data": {
+ "DataPoints": [
+ {
+ "Attributes": [
+ {
+ "Key": "ir-type",
+ "Value": {
+ "Type": "STRING",
+ "Value": "xds"
+ }
+ }
+ ],
+ "StartTime": "0001-01-01T00:00:00Z",
+ "Time": "0001-01-01T00:00:00Z",
+ "Value": 7
+ }
+ ],
+ "Temporality": "CumulativeTemporality",
+ "IsMonotonic": true
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/internal/metrics/testdata/gauge_metric.json b/internal/metrics/testdata/gauge_metric.json
new file mode 100644
index 00000000000..7641f17cbee
--- /dev/null
+++ b/internal/metrics/testdata/gauge_metric.json
@@ -0,0 +1,52 @@
+{
+ "Resource": [
+ {
+ "Key": "metric.type",
+ "Value": {
+ "Type": "STRING",
+ "Value": "Gauge"
+ }
+ },
+ {
+ "Key": "service.name",
+ "Value": {
+ "Type": "STRING",
+ "Value": "test"
+ }
+ }
+ ],
+ "ScopeMetrics": [
+ {
+ "Scope": {
+ "Name": "envoy-gateway",
+ "Version": "",
+ "SchemaURL": ""
+ },
+ "Metrics": [
+ {
+ "Name": "current_irs_queue_num",
+ "Description": "current number of ir in queue, by ir type",
+ "Unit": "1",
+ "Data": {
+ "DataPoints": [
+ {
+ "Attributes": [
+ {
+ "Key": "ir-type",
+ "Value": {
+ "Type": "STRING",
+ "Value": "xds"
+ }
+ }
+ ],
+ "StartTime": "0001-01-01T00:00:00Z",
+ "Time": "0001-01-01T00:00:00Z",
+ "Value": 2
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/internal/metrics/testdata/histogram_metric.json b/internal/metrics/testdata/histogram_metric.json
new file mode 100644
index 00000000000..0054be03640
--- /dev/null
+++ b/internal/metrics/testdata/histogram_metric.json
@@ -0,0 +1,91 @@
+{
+ "Resource": [
+ {
+ "Key": "metric.type",
+ "Value": {
+ "Type": "STRING",
+ "Value": "Histogram"
+ }
+ },
+ {
+ "Key": "service.name",
+ "Value": {
+ "Type": "STRING",
+ "Value": "test"
+ }
+ }
+ ],
+ "ScopeMetrics": [
+ {
+ "Scope": {
+ "Name": "envoy-gateway",
+ "Version": "",
+ "SchemaURL": ""
+ },
+ "Metrics": [
+ {
+ "Name": "sent_bytes_total",
+ "Description": "Histogram of sent bytes by method",
+ "Unit": "By",
+ "Data": {
+ "DataPoints": [
+ {
+ "Attributes": [
+ {
+ "Key": "method",
+ "Value": {
+ "Type": "STRING",
+ "Value": "/request/path/1"
+ }
+ }
+ ],
+ "StartTime": "0001-01-01T00:00:00Z",
+ "Time": "0001-01-01T00:00:00Z",
+ "Count": 3,
+ "Bounds": [
+ 0,
+ 5,
+ 10,
+ 25,
+ 50,
+ 75,
+ 100,
+ 250,
+ 500,
+ 750,
+ 1000,
+ 2500,
+ 5000,
+ 7500,
+ 10000
+ ],
+ "BucketCounts": [
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "Min": 20,
+ "Max": 2000,
+ "Sum": 2478
+ }
+ ],
+ "Temporality": "CumulativeTemporality"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go
index c3ea9daab3d..571a45c5764 100644
--- a/internal/provider/kubernetes/controller.go
+++ b/internal/provider/kubernetes/controller.go
@@ -199,6 +199,11 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques
return reconcile.Result{}, err
}
+ // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree
+ if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil {
+ return reconcile.Result{}, err
+ }
+
// Add the referenced services, ServiceImports, and EndpointSlices in
// the collected BackendRefs to the resourceTree.
// BackendRefs are referred by various Route objects and the ExtAuth in SecurityPolicies.
@@ -901,6 +906,15 @@ func (r *gatewayAPIReconciler) addFinalizer(ctx context.Context, gc *gwapiv1.Gat
// watchResources watches gateway api resources.
func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.Manager, c controller.Controller) error {
+ // Upon leader election, we retrigger the reconciliation process to allow the elected leader to
+ // process status updates and infrastructure changes. This step is crucial for synchronizing resources
+ // that may have been altered or introduced while there was no elected leader.
+ if err := c.Watch(
+ NewWatchAndReconcileSource(mgr.Elected(), &gwapiv1.GatewayClass{}),
+ handler.EnqueueRequestsFromMapFunc(r.enqueueClass)); err != nil {
+ return err
+ }
+
if err := c.Watch(
source.Kind(mgr.GetCache(), &gwapiv1.GatewayClass{}),
handler.EnqueueRequestsFromMapFunc(r.enqueueClass),
@@ -1234,6 +1248,24 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M
return err
}
+ // Watch EnvoyExtensionPolicy
+ eepPredicates := []predicate.Predicate{predicate.GenerationChangedPredicate{}}
+ if r.namespaceLabel != nil {
+ eepPredicates = append(eepPredicates, predicate.NewPredicateFuncs(r.hasMatchingNamespaceLabels))
+ }
+
+ // Watch EnvoyExtensionPolicy CRUDs
+ if err := c.Watch(
+ source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}),
+ handler.EnqueueRequestsFromMapFunc(r.enqueueClass),
+ eepPredicates...,
+ ); err != nil {
+ return err
+ }
+ if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil {
+ return err
+ }
+
r.log.Info("Watching gatewayAPI related objects")
// Watch any additional GVKs from the registered extension.
@@ -1400,3 +1432,78 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicyConfigMapRefs(ctx context.
}
}
}
+
+// processEnvoyExtensionPolicies adds EnvoyExtensionPolicies and their referenced resources to the resourceTree
+func (r *gatewayAPIReconciler) processEnvoyExtensionPolicies(
+ ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) error {
+ envoyExtensionPolicies := egv1a1.EnvoyExtensionPolicyList{}
+ if err := r.client.List(ctx, &envoyExtensionPolicies); err != nil {
+ return fmt.Errorf("error listing EnvoyExtensionPolicies: %w", err)
+ }
+
+ for _, policy := range envoyExtensionPolicies.Items {
+ policy := policy
+ // Discard Status to reduce memory consumption in watchable
+ // It will be recomputed by the gateway-api layer
+ policy.Status = gwapiv1a2.PolicyStatus{}
+ resourceTree.EnvoyExtensionPolicies = append(resourceTree.EnvoyExtensionPolicies, &policy)
+ }
+
+ // Add the referenced Resources in EnvoyExtensionPolicies to the resourceTree
+ r.processEnvoyExtensionPolicyObjectRefs(ctx, resourceTree, resourceMap)
+
+ return nil
+}
+
+// processEnvoyExtensionPolicyObjectRefs adds the referenced resources in EnvoyExtensionPolicies
+// to the resourceTree
+// - BackendRefs for ExtProcs
+func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs(
+ ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings) {
+ // we don't return errors from this method, because we want to continue reconciling
+ // the rest of the EnvoyExtensionPolicies despite that one reference is invalid. This
+ // allows Envoy Gateway to continue serving traffic even if some EnvoyExtensionPolicies
+ // are invalid.
+ //
+ // This EnvoyExtensionPolicy will be marked as invalid in its status when translating
+ // to IR because the referenced service can't be found.
+ for _, policy := range resourceTree.EnvoyExtensionPolicies {
+ // Add the referenced BackendRefs and ReferenceGrants in ExtAuth to Maps for later processing
+ for _, ep := range policy.Spec.ExtProc {
+ backendRef := ep.BackendRef.BackendObjectReference
+
+ backendNamespace := gatewayapi.NamespaceDerefOr(backendRef.Namespace, policy.Namespace)
+ resourceMap.allAssociatedBackendRefs[gwapiv1.BackendObjectReference{
+ Group: backendRef.Group,
+ Kind: backendRef.Kind,
+ Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace),
+ Name: backendRef.Name,
+ }] = struct{}{}
+
+ if backendNamespace != policy.Namespace {
+ from := ObjectKindNamespacedName{
+ kind: gatewayapi.KindHTTPRoute,
+ namespace: policy.Namespace,
+ name: policy.Name,
+ }
+ to := ObjectKindNamespacedName{
+ kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService),
+ namespace: backendNamespace,
+ name: string(backendRef.Name),
+ }
+ refGrant, err := r.findReferenceGrant(ctx, from, to)
+ switch {
+ case err != nil:
+ r.log.Error(err, "failed to find ReferenceGrant")
+ case refGrant == nil:
+ r.log.Info("no matching ReferenceGrants found", "from", from.kind,
+ "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace)
+ default:
+ resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant)
+ r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace,
+ "name", refGrant.Name)
+ }
+ }
+ }
+ }
+}
diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go
index 3e638a17aae..ac1132b31d5 100644
--- a/internal/provider/kubernetes/indexers.go
+++ b/internal/provider/kubernetes/indexers.go
@@ -20,24 +20,25 @@ import (
)
const (
- classGatewayIndex = "classGatewayIndex"
- gatewayTLSRouteIndex = "gatewayTLSRouteIndex"
- gatewayHTTPRouteIndex = "gatewayHTTPRouteIndex"
- gatewayGRPCRouteIndex = "gatewayGRPCRouteIndex"
- gatewayTCPRouteIndex = "gatewayTCPRouteIndex"
- gatewayUDPRouteIndex = "gatewayUDPRouteIndex"
- secretGatewayIndex = "secretGatewayIndex"
- targetRefGrantRouteIndex = "targetRefGrantRouteIndex"
- backendHTTPRouteIndex = "backendHTTPRouteIndex"
- backendGRPCRouteIndex = "backendGRPCRouteIndex"
- backendTLSRouteIndex = "backendTLSRouteIndex"
- backendTCPRouteIndex = "backendTCPRouteIndex"
- backendUDPRouteIndex = "backendUDPRouteIndex"
- secretSecurityPolicyIndex = "secretSecurityPolicyIndex"
- backendSecurityPolicyIndex = "backendSecurityPolicyIndex"
- configMapCtpIndex = "configMapCtpIndex"
- secretCtpIndex = "secretCtpIndex"
- configMapBtlsIndex = "configMapBtlsIndex"
+ classGatewayIndex = "classGatewayIndex"
+ gatewayTLSRouteIndex = "gatewayTLSRouteIndex"
+ gatewayHTTPRouteIndex = "gatewayHTTPRouteIndex"
+ gatewayGRPCRouteIndex = "gatewayGRPCRouteIndex"
+ gatewayTCPRouteIndex = "gatewayTCPRouteIndex"
+ gatewayUDPRouteIndex = "gatewayUDPRouteIndex"
+ secretGatewayIndex = "secretGatewayIndex"
+ targetRefGrantRouteIndex = "targetRefGrantRouteIndex"
+ backendHTTPRouteIndex = "backendHTTPRouteIndex"
+ backendGRPCRouteIndex = "backendGRPCRouteIndex"
+ backendTLSRouteIndex = "backendTLSRouteIndex"
+ backendTCPRouteIndex = "backendTCPRouteIndex"
+ backendUDPRouteIndex = "backendUDPRouteIndex"
+ secretSecurityPolicyIndex = "secretSecurityPolicyIndex"
+ backendSecurityPolicyIndex = "backendSecurityPolicyIndex"
+ configMapCtpIndex = "configMapCtpIndex"
+ secretCtpIndex = "secretCtpIndex"
+ configMapBtlsIndex = "configMapBtlsIndex"
+ backendEnvoyExtensionPolicyIndex = "backendSecurityPolicyIndex"
)
func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error {
@@ -511,3 +512,36 @@ func configMapBtlsIndexFunc(rawObj client.Object) []string {
}
return configMapReferences
}
+
+// addEnvoyExtensionPolicyIndexers adds indexing on EnvoyExtensionPolicy.
+// - For Service objects that are referenced in EnvoyExtensionPolicy objects via
+// `.spec.extProc.[*].service.backendObjectReference`. This helps in querying for
+// EnvoyExtensionPolicy that are affected by a particular Service CRUD.
+func addEnvoyExtensionPolicyIndexers(ctx context.Context, mgr manager.Manager) error {
+ var err error
+
+ if err = mgr.GetFieldIndexer().IndexField(
+ ctx, &v1alpha1.EnvoyExtensionPolicy{}, backendEnvoyExtensionPolicyIndex,
+ backendEnvoyExtensionPolicyIndexFunc); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func backendEnvoyExtensionPolicyIndexFunc(rawObj client.Object) []string {
+ envoyExtensionPolicy := rawObj.(*v1alpha1.EnvoyExtensionPolicy)
+
+ var ret []string
+
+ for _, ep := range envoyExtensionPolicy.Spec.ExtProc {
+ backendRef := ep.BackendRef.BackendObjectReference
+ ret = append(ret,
+ types.NamespacedName{
+ Namespace: gatewayapi.NamespaceDerefOr(backendRef.Namespace, envoyExtensionPolicy.Namespace),
+ Name: string(backendRef.Name),
+ }.String())
+ }
+
+ return ret
+}
diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go
index 3a4bfb7c793..668555b6725 100644
--- a/internal/provider/kubernetes/kubernetes.go
+++ b/internal/provider/kubernetes/kubernetes.go
@@ -8,16 +8,19 @@ package kubernetes
import (
"context"
"fmt"
+ "time"
"k8s.io/client-go/rest"
+ "k8s.io/utils/ptr"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/config"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/manager"
"github.com/envoyproxy/gateway/internal/envoygateway"
- "github.com/envoyproxy/gateway/internal/envoygateway/config"
+ ec "github.com/envoyproxy/gateway/internal/envoygateway/config"
"github.com/envoyproxy/gateway/internal/message"
"github.com/envoyproxy/gateway/internal/status"
)
@@ -31,14 +34,43 @@ type Provider struct {
}
// New creates a new Provider from the provided EnvoyGateway.
-func New(cfg *rest.Config, svr *config.Server, resources *message.ProviderResources) (*Provider, error) {
+func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) (*Provider, error) {
// TODO: Decide which mgr opts should be exposed through envoygateway.provider.kubernetes API.
+
mgrOpts := manager.Options{
- Scheme: envoygateway.GetScheme(),
- Logger: svr.Logger.Logger,
- LeaderElection: false,
- HealthProbeBindAddress: ":8081",
- LeaderElectionID: "5b9825d2.gateway.envoyproxy.io",
+ Scheme: envoygateway.GetScheme(),
+ Logger: svr.Logger.Logger,
+ HealthProbeBindAddress: ":8081",
+ LeaderElectionID: "5b9825d2.gateway.envoyproxy.io",
+ LeaderElectionNamespace: svr.Namespace,
+ }
+
+ if !ptr.Deref(svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) {
+ mgrOpts.LeaderElection = true
+ if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration != nil {
+ ld, err := time.ParseDuration(string(*svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration))
+ if err != nil {
+ return nil, err
+ }
+ mgrOpts.LeaseDuration = ptr.To(ld)
+ }
+
+ if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RetryPeriod != nil {
+ rp, err := time.ParseDuration(string(*svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RetryPeriod))
+ if err != nil {
+ return nil, err
+ }
+ mgrOpts.RetryPeriod = ptr.To(rp)
+ }
+
+ if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RenewDeadline != nil {
+ rd, err := time.ParseDuration(string(*svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RenewDeadline))
+ if err != nil {
+ return nil, err
+ }
+ mgrOpts.RenewDeadline = ptr.To(rd)
+ }
+ mgrOpts.Controller = config.Controller{NeedLeaderElection: ptr.To(false)}
}
if svr.EnvoyGateway.NamespaceMode() {
@@ -47,7 +79,6 @@ func New(cfg *rest.Config, svr *config.Server, resources *message.ProviderResour
mgrOpts.Cache.DefaultNamespaces[watchNS] = cache.Config{}
}
}
-
mgr, err := ctrl.NewManager(cfg, mgrOpts)
if err != nil {
return nil, fmt.Errorf("failed to create manager: %w", err)
@@ -73,6 +104,12 @@ func New(cfg *rest.Config, svr *config.Server, resources *message.ProviderResour
return nil, fmt.Errorf("unable to set up ready check: %w", err)
}
+ // Emit elected & continue with deployment of infra resources
+ go func() {
+ <-mgr.Elected()
+ close(svr.Elected)
+ }()
+
return &Provider{
manager: mgr,
client: mgr.GetClient(),
diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go
index 350818cb182..2187e5b5df1 100644
--- a/internal/provider/kubernetes/kubernetes_test.go
+++ b/internal/provider/kubernetes/kubernetes_test.go
@@ -61,6 +61,11 @@ func TestProvider(t *testing.T) {
require.NoError(t, provider.Start(ctx))
}()
+ testNs := config.DefaultNamespace
+ cli := provider.manager.GetClient()
+ ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: testNs}}
+ require.NoError(t, cli.Create(ctx, ns))
+
// Stop the kube provider.
defer func() {
cancel()
@@ -154,15 +159,8 @@ func testGatewayClassAcceptedStatus(ctx context.Context, t *testing.T, provider
func testGatewayClassWithParamRef(ctx context.Context, t *testing.T, provider *Provider, resources *message.ProviderResources) {
cli := provider.manager.GetClient()
- // Create the namespace for the test case.
// Note: The namespace for the EnvoyProxy must match EG's configured namespace.
testNs := config.DefaultNamespace
- ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: testNs}}
- require.NoError(t, cli.Create(ctx, ns))
-
- defer func() {
- require.NoError(t, cli.Delete(ctx, ns))
- }()
epName := "test-envoy-proxy"
ep := test.GetEnvoyProxy(types.NamespacedName{Namespace: testNs, Name: epName}, false)
@@ -1260,8 +1258,8 @@ func TestNamespacedProvider(t *testing.T) {
Type: egv1a1.KubernetesWatchModeTypeNamespaces,
Namespaces: []string{"ns1", "ns2"},
},
+ LeaderElection: egv1a1.DefaultLeaderElection(),
}
-
resources := new(message.ProviderResources)
provider, err := New(cliCfg, svr, resources)
require.NoError(t, err)
@@ -1320,8 +1318,8 @@ func TestNamespaceSelectorProvider(t *testing.T) {
Type: egv1a1.KubernetesWatchModeTypeNamespaceSelector,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"label-1": "true", "label-2": "true"}},
},
+ LeaderElection: egv1a1.DefaultLeaderElection(),
}
-
resources := new(message.ProviderResources)
provider, err := New(cliCfg, svr, resources)
require.NoError(t, err)
@@ -1330,12 +1328,16 @@ func TestNamespaceSelectorProvider(t *testing.T) {
require.NoError(t, provider.Start(ctx))
}()
+ testNs := config.DefaultNamespace
+ cli := provider.manager.GetClient()
+ ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: testNs}}
+ require.NoError(t, cli.Create(ctx, ns))
+
defer func() {
cancel()
require.NoError(t, testEnv.Stop())
}()
- cli := provider.manager.GetClient()
watchedNS := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{
Name: "watched-ns",
Labels: map[string]string{"label-1": "true", "label-2": "true"},
diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
index 3585a2913ae..f25c0092326 100644
--- a/internal/provider/kubernetes/predicates.go
+++ b/internal/provider/kubernetes/predicates.go
@@ -251,7 +251,11 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo
return true
}
- return r.isSecurityPolicyReferencingBackend(&nsName)
+ if r.isSecurityPolicyReferencingBackend(&nsName) {
+ return true
+ }
+
+ return r.isEnvoyExtensionPolicyReferencingBackend(&nsName)
}
func (r *gatewayAPIReconciler) isSecurityPolicyReferencingBackend(nsName *types.NamespacedName) bool {
@@ -363,7 +367,11 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje
return true
}
- return r.isSecurityPolicyReferencingBackend(&nsName)
+ if r.isSecurityPolicyReferencingBackend(&nsName) {
+ return true
+ }
+
+ return r.isEnvoyExtensionPolicyReferencingBackend(&nsName)
}
// validateDeploymentForReconcile tries finding the owning Gateway of the Deployment
@@ -533,3 +541,15 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object)
return true
}
+
+func (r *gatewayAPIReconciler) isEnvoyExtensionPolicyReferencingBackend(nsName *types.NamespacedName) bool {
+ spList := &egv1a1.EnvoyExtensionPolicyList{}
+ if err := r.client.List(context.Background(), spList, &client.ListOptions{
+ FieldSelector: fields.OneTermEqualSelector(backendEnvoyExtensionPolicyIndex, nsName.String()),
+ }); err != nil {
+ r.log.Error(err, "unable to find associated EnvoyExtensionPolicies")
+ return false
+ }
+
+ return len(spList.Items) > 0
+}
diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go
index f923eef8a26..e9f24d6e51f 100644
--- a/internal/provider/kubernetes/predicates_test.go
+++ b/internal/provider/kubernetes/predicates_test.go
@@ -514,6 +514,64 @@ func TestValidateServiceForReconcile(t *testing.T) {
service: test.GetService(types.NamespacedName{Name: "ext-auth-http-service"}, nil, nil),
expect: true,
},
+ {
+ name: "service referenced by EnvoyExtensionPolicy ExtPrc GRPC service",
+ configs: []client.Object{
+ &v1alpha1.EnvoyExtensionPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "ext-proc",
+ },
+ Spec: v1alpha1.EnvoyExtensionPolicySpec{
+ TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{
+ PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
+ Kind: "Gateway",
+ Name: "scheduled-status-test",
+ },
+ },
+ ExtProc: []v1alpha1.ExtProc{
+ {
+ BackendRef: v1alpha1.ExtProcBackendRef{
+ BackendObjectReference: gwapiv1.BackendObjectReference{
+ Name: "ext-proc-service",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ service: test.GetService(types.NamespacedName{Name: "ext-proc-service"}, nil, nil),
+ expect: true,
+ },
+ {
+ name: "service referenced by EnvoyExtensionPolicy ExtPrc GRPC service unrelated",
+ configs: []client.Object{
+ &v1alpha1.EnvoyExtensionPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "ext-proc",
+ },
+ Spec: v1alpha1.EnvoyExtensionPolicySpec{
+ TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{
+ PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
+ Kind: "Gateway",
+ Name: "scheduled-status-test",
+ },
+ },
+ ExtProc: []v1alpha1.ExtProc{
+ {
+ BackendRef: v1alpha1.ExtProcBackendRef{
+ BackendObjectReference: gwapiv1.BackendObjectReference{
+ Name: "ext-proc-service",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ service: test.GetService(types.NamespacedName{Name: "ext-proc-service-unrelated"}, nil, nil),
+ expect: false,
+ },
{
name: "update status of all gateways under gatewayclass when MergeGateways enabled",
configs: []client.Object{
@@ -571,6 +629,7 @@ func TestValidateServiceForReconcile(t *testing.T) {
WithIndex(&gwapiv1a2.TCPRoute{}, backendTCPRouteIndex, backendTCPRouteIndexFunc).
WithIndex(&gwapiv1a2.UDPRoute{}, backendUDPRouteIndex, backendUDPRouteIndexFunc).
WithIndex(&v1alpha1.SecurityPolicy{}, backendSecurityPolicyIndex, backendSecurityPolicyIndexFunc).
+ WithIndex(&v1alpha1.EnvoyExtensionPolicy{}, backendEnvoyExtensionPolicyIndex, backendEnvoyExtensionPolicyIndexFunc).
Build()
t.Run(tc.name, func(t *testing.T) {
res := r.validateServiceForReconcile(tc.service)
diff --git a/internal/provider/kubernetes/sources.go b/internal/provider/kubernetes/sources.go
new file mode 100644
index 00000000000..66d93acb0d5
--- /dev/null
+++ b/internal/provider/kubernetes/sources.go
@@ -0,0 +1,46 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package kubernetes
+
+import (
+ "context"
+ "errors"
+
+ "k8s.io/client-go/util/workqueue"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/event"
+ "sigs.k8s.io/controller-runtime/pkg/handler"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+ "sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+// watchAndReconcileSource is a concrete implementation of the Source interface.
+type watchAndReconcileSource struct {
+ condition <-chan struct{}
+ object client.Object
+}
+
+func NewWatchAndReconcileSource(cond <-chan struct{}, obj client.Object) source.Source {
+ return &watchAndReconcileSource{condition: cond, object: obj}
+}
+
+// Start implements the Source interface. It registers the EventHandler with the Informer.
+func (s *watchAndReconcileSource) Start(ctx context.Context, eh handler.EventHandler, queue workqueue.RateLimitingInterface, _ ...predicate.Predicate) error {
+ if s.object == nil {
+ return errors.New("object to queue is required")
+ }
+ // do not block controller startup
+ go func() {
+ select {
+ case <-ctx.Done():
+ return
+ case <-s.condition:
+ // Triggers a reconcile
+ eh.Generic(ctx, event.GenericEvent{Object: s.object}, queue)
+ }
+ }()
+ return nil
+}
diff --git a/internal/provider/kubernetes/sources_test.go b/internal/provider/kubernetes/sources_test.go
new file mode 100644
index 00000000000..adae9f8f854
--- /dev/null
+++ b/internal/provider/kubernetes/sources_test.go
@@ -0,0 +1,75 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package kubernetes
+
+import (
+ "context"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/require"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/client-go/util/workqueue"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/handler"
+ "sigs.k8s.io/controller-runtime/pkg/reconcile"
+ gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+func enqueueClass(_ context.Context, _ client.Object) []reconcile.Request {
+ return []reconcile.Request{{NamespacedName: types.NamespacedName{
+ Name: "controller-name",
+ }}}
+}
+
+func TestSources(t *testing.T) {
+ testCases := []struct {
+ name string
+ ctx context.Context
+ expectedAddresses []string
+ handler handler.EventHandler
+ mapFunc handler.MapFunc
+ queue workqueue.RateLimitingInterface
+ expected bool
+ obj client.Object
+ }{
+ {
+ name: "Queue size should increase by one after the condition event triggered",
+ expectedAddresses: []string{},
+ handler: handler.EnqueueRequestsFromMapFunc(enqueueClass),
+ queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+ ctx: context.Background(),
+ obj: &gwapiv1.GatewayClass{},
+ expected: true,
+ },
+ {
+ name: "Confirm object is required",
+ expectedAddresses: []string{},
+ handler: handler.EnqueueRequestsFromMapFunc(enqueueClass),
+ queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+ ctx: context.Background(),
+ obj: nil,
+ expected: false,
+ },
+ }
+
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ cond := make(chan struct{})
+ store := NewWatchAndReconcileSource(cond, tc.obj)
+ err := store.Start(tc.ctx, tc.handler, tc.queue)
+ if !tc.expected {
+ require.Error(t, err)
+ } else {
+ require.NoError(t, err)
+ close(cond)
+ require.Eventually(t, func() bool {
+ return tc.queue.Len() == 1
+ }, time.Second*3, time.Millisecond*20)
+ }
+ })
+ }
+}
diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go
index 2a90165097b..5aa8af4fa57 100644
--- a/internal/provider/kubernetes/status.go
+++ b/internal/provider/kubernetes/status.go
@@ -364,6 +364,38 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context) {
)
r.log.Info("backendTlsPolicy status subscriber shutting down")
}()
+
+ // EnvoyExtensionPolicy object status updater
+ go func() {
+ message.HandleSubscription(
+ message.Metadata{Runner: string(v1alpha1.LogComponentProviderRunner), Message: "envoyextensionpolicy-status"},
+ r.resources.EnvoyExtensionPolicyStatuses.Subscribe(ctx),
+ func(update message.Update[types.NamespacedName, *gwapiv1a2.PolicyStatus], errChan chan error) {
+ // skip delete updates.
+ if update.Delete {
+ return
+ }
+ key := update.Key
+ val := update.Value
+ r.statusUpdater.Send(status.Update{
+ NamespacedName: key,
+ Resource: new(v1alpha1.EnvoyExtensionPolicy),
+ Mutator: status.MutatorFunc(func(obj client.Object) client.Object {
+ t, ok := obj.(*v1alpha1.EnvoyExtensionPolicy)
+ if !ok {
+ err := fmt.Errorf("unsupported object type %T", obj)
+ errChan <- err
+ panic(err)
+ }
+ tCopy := t.DeepCopy()
+ tCopy.Status = *val
+ return tCopy
+ }),
+ })
+ },
+ )
+ r.log.Info("envoyExtensionPolicy status subscriber shutting down")
+ }()
}
func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *gwapiv1.Gateway) {
diff --git a/internal/status/status.go b/internal/status/status.go
index 4f945e2ca9c..ce27858a325 100644
--- a/internal/status/status.go
+++ b/internal/status/status.go
@@ -246,7 +246,12 @@ func isStatusEqual(objA, objB interface{}) bool {
return true
}
}
+ case *egv1a1.EnvoyExtensionPolicy:
+ if b, ok := objB.(*egv1a1.EnvoyExtensionPolicy); ok {
+ if cmp.Equal(a.Status, b.Status, opts) {
+ return true
+ }
+ }
}
-
return false
}
diff --git a/internal/utils/helm/package.go b/internal/utils/helm/package.go
new file mode 100644
index 00000000000..87ba6d5e444
--- /dev/null
+++ b/internal/utils/helm/package.go
@@ -0,0 +1,489 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package helm
+
+import (
+ "bytes"
+ "fmt"
+ "io"
+ "os"
+ "strconv"
+ "time"
+
+ "github.com/Masterminds/semver/v3"
+ "github.com/fatih/color"
+ "github.com/spf13/cobra"
+ "github.com/spf13/pflag"
+ "helm.sh/helm/v3/pkg/action"
+ "helm.sh/helm/v3/pkg/chart"
+ "helm.sh/helm/v3/pkg/chart/loader"
+ "helm.sh/helm/v3/pkg/chartutil"
+ "helm.sh/helm/v3/pkg/cli"
+ "helm.sh/helm/v3/pkg/cli/values"
+ "helm.sh/helm/v3/pkg/getter"
+ "helm.sh/helm/v3/pkg/registry"
+ kerrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/cli-runtime/pkg/resource"
+ "k8s.io/kubectl/pkg/cmd/util"
+
+ "github.com/envoyproxy/gateway/internal/cmd/options"
+)
+
+const (
+ helmOperateTimeout = time.Second * 300
+ egChartVersion = "v1.0.0"
+ egReleaseName = "envoy-gateway"
+ egReleaseNamespace = "envoy-gateway-system"
+)
+
+type PackageOptions struct {
+ DryRun bool
+ SkipCRD bool
+ Wait bool
+ Version string
+ Timeout time.Duration
+ ReleaseName string
+ ReleaseNamespace string
+ OnlyCRD bool
+ WithCRD bool
+}
+
+type PackageTool struct {
+ chartName string
+
+ // Helm dependency objects
+ envSettings *cli.EnvSettings
+ actionConfig *action.Configuration
+ actionInstall *action.Install
+ actionUninstall *action.Uninstall
+ valuesOpts *values.Options
+
+ logger Printer
+}
+
+func NewPackageTool() *PackageTool {
+ return &PackageTool{
+ envSettings: cli.New(),
+ actionConfig: &action.Configuration{},
+ chartName: "oci://docker.io/envoyproxy/gateway-helm",
+ valuesOpts: &values.Options{},
+ }
+}
+
+// Setup Configuration required to initialize helm action.
+func (pt *PackageTool) Setup() error {
+
+ // Since envoy-gateway uses docker's oci to store charts,
+ // we need to create a registry client to make sure we can retrieve envoy-gateway chart
+ registryCli, err := registry.NewClient()
+ if err != nil {
+ return err
+ }
+ pt.actionConfig = &action.Configuration{
+ RegistryClient: registryCli,
+ }
+
+ kubectlFactory := options.DefaultConfigFlags
+ ns, _, err := kubectlFactory.ToRawKubeConfigLoader().Namespace()
+ if err != nil {
+ return err
+ }
+
+ if err = pt.actionConfig.Init(
+ kubectlFactory,
+ ns,
+ os.Getenv("HELM_DRIVER"),
+ pt.logger.Printf,
+ ); err != nil {
+ return err
+ }
+
+ // Build the relevant helm command action
+ pt.actionInstall = action.NewInstall(pt.actionConfig)
+ pt.actionUninstall = action.NewUninstall(pt.actionConfig)
+
+ return nil
+}
+
+// SetInstallEnvSettings set the installation flags we are interested in
+func (pt *PackageTool) SetInstallEnvSettings(installCmd *cobra.Command, opts *PackageOptions) {
+
+ // add helm flags
+ // we use a temporary flag to be set by helm env flags,
+ // from which we can retrieve the flags we are interested
+ var tmpFlags pflag.FlagSet
+ pt.envSettings.AddFlags(&tmpFlags)
+ tmpFlags.VisitAll(func(flag *pflag.Flag) {
+ // TODO: Add more flags as needed?
+ switch flag.Name {
+ case "registry-config", "repository-config", "repository-cache":
+ installCmd.Flags().AddFlag(flag)
+ default:
+ }
+ })
+
+ installCmd.Flags().DurationVar(&opts.Timeout, "timeout", helmOperateTimeout, "time to wait for any individual Kubernetes operation")
+ installCmd.Flags().StringVar(&opts.Version, "version", egChartVersion, "specify a version constraint for the envoy gateway version to use")
+ installCmd.Flags().StringVar(&opts.ReleaseName, "release-name", egReleaseName, "name of the envoy-gateway release to install")
+ installCmd.Flags().StringVarP(&opts.ReleaseNamespace, "namespace", "n", egReleaseNamespace, "if set, specify the namespace where envoy gateway is installed")
+ installCmd.Flags().BoolVar(&opts.DryRun, "dry-run", false, "console output only, make no changes")
+ installCmd.Flags().BoolVar(&opts.SkipCRD, "skip-crds", false, "if set, no CRDs will be installed. By default, CRDs are installed if not already present")
+ installCmd.Flags().BoolVar(&opts.OnlyCRD, "only-crds", false, "if set, only install the crds")
+ installCmd.Flags().Bool("debug", false, "if set, the will output detailed execution logs")
+
+ installCmd.Flags().StringSliceVarP(&pt.valuesOpts.ValueFiles, "values", "f", []string{}, "Specify values in a YAML file or a URL (can specify multiple)")
+ installCmd.Flags().StringArrayVar(&pt.valuesOpts.Values, "set", []string{}, "Set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)")
+
+}
+
+// SetUninstallEnvSetting set the uninstallation flags we are interested in
+func (pt *PackageTool) SetUninstallEnvSetting(uninstallCmd *cobra.Command, opts *PackageOptions) {
+
+ uninstallCmd.Flags().DurationVar(&opts.Timeout, "timeout", helmOperateTimeout, "time to wait for any individual Kubernetes operation")
+ uninstallCmd.Flags().StringVar(&opts.ReleaseName, "release-name", egReleaseName, "name of the envoy-gateway release to uninstall")
+ uninstallCmd.Flags().StringVarP(&opts.ReleaseNamespace, "namespace", "n", "", "if set, specify the namespace where envoy gateway is uninstalled")
+ uninstallCmd.Flags().BoolVar(&opts.Wait, "wait", false, "if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. It will wait for as long as --timeout")
+ uninstallCmd.Flags().BoolVar(&opts.DryRun, "dry-run", false, "console output only, make no changes")
+ uninstallCmd.Flags().BoolVar(&opts.WithCRD, "with-crds", false, "if set, the CRDs will also be removed")
+ uninstallCmd.Flags().Bool("debug", false, "if set, the will output detailed execution logs")
+
+}
+
+// loadChart Load the chart instance according to the chart name and version
+func (pt *PackageTool) loadChart(opts *PackageOptions) (*chart.Chart, error) {
+
+ pt.actionInstall.Version = opts.Version
+ chartName, err := pt.actionInstall.LocateChart(pt.chartName, pt.envSettings)
+ if err != nil {
+ return nil, err
+ }
+
+ egChart, err := loader.Load(chartName)
+ if err != nil {
+ return nil, err
+ }
+
+ // Before we return to the chart, we need to make sure that the chart is installed and used correctly
+ if !installableChart(egChart) {
+ return nil, fmt.Errorf("type of chart is not 'application' and cannot be installed")
+ }
+ if egChart.Metadata.Deprecated {
+ return nil, fmt.Errorf("chart has been deprecated, please update chart version")
+ }
+
+ return egChart, nil
+}
+
+// extractCRDs Extract the CRDs part of the chart
+func (pt *PackageTool) extractCRDs(ch *chart.Chart) ([]*resource.Info, error) {
+
+ crdResInfo := make([]*resource.Info, 0, len(ch.CRDObjects()))
+
+ for _, crd := range ch.CRDObjects() {
+ resInfo, err := pt.actionConfig.KubeClient.Build(bytes.NewBufferString(string(crd.File.Data)), false)
+ if err != nil {
+ return nil, err
+ }
+ crdResInfo = append(crdResInfo, resInfo...)
+ }
+
+ return crdResInfo, nil
+}
+
+// RunInstall The default installation strategy we adopt is to first install Custom Resource Definitions (CRDs) separately,
+// not as part of the Helm release. Subsequently, we install the Helm release without including CRDs.
+// This approach ensures that when uninstalling with Helm or egctl later on, CRDs are not deleted.
+// We intend for cluster administrators who understand the consequences of uninstalling CRDs to be
+// responsible for their uninstallation.
+// This is done to avoid garbage collection on CRs in the cluster during uninstallation,
+// preventing the potential loss of crucial CR instances.
+func (pt *PackageTool) RunInstall(opts *PackageOptions) error {
+
+ if opts.Version == "v0.0.0-latest" {
+ warningMarker := color.New(color.FgYellow).Add(color.Bold).Sprintf("WARNING")
+ pt.logger.Println(fmt.Sprintf("%s: Currently using the latest version of envoy gateway chart, it is recommended to use the fixed version",
+ warningMarker))
+ }
+
+ pt.setCommonValue()
+
+ egChart, err := pt.loadChart(opts)
+ if err != nil {
+ return err
+ }
+ crdInfo, err := pt.extractCRDs(egChart)
+ if err != nil {
+ return err
+ }
+
+ // Before we install CRDs, we need to ensure that CRDs do not exist in the cluster
+ // After we install CRDs, we need to ensure that the CRDs are successfully installed into the cluster
+ if !opts.SkipCRD {
+
+ if len(crdInfo) == 0 {
+ return fmt.Errorf("CRDs not found in the envoy gateway chart")
+ }
+
+ if exist, err := detectExistCRDs(crdInfo); exist == nil || *exist {
+ if err == nil {
+ err = fmt.Errorf("found installed envoy gateway CRDs and gateway api CRDs, unable to continue installation")
+ }
+ return err
+ }
+
+ if err := installCRDs(crdInfo, pt.actionConfig); err != nil {
+ return err
+ }
+
+ if exist, err := detectExistCRDs(crdInfo); exist == nil || !*exist {
+ if err != nil {
+ return fmt.Errorf("failed to install CRDs of envoy gateway")
+ }
+ return err
+ }
+
+ if opts.OnlyCRD {
+ return nil
+ }
+ }
+
+ // Merge all values flag
+ providers := getter.All(pt.envSettings)
+ egChartValues, err := pt.valuesOpts.MergeValues(providers)
+ if err != nil {
+ return err
+ }
+
+ pt.setInstallOptions(opts)
+ release, err := pt.actionInstall.Run(egChart, egChartValues)
+ if err != nil {
+ return fmt.Errorf("failed to install envoy gateway resource: %w", err)
+ }
+
+ if opts.DryRun {
+ pt.logger.Println(release.Manifest)
+ return nil
+ }
+
+ successMarker := color.New(color.FgGreen).Add(color.Bold).Sprintf("SUCCESS")
+ pt.logger.Println(fmt.Sprintf("%s: Envoy gateway installed", successMarker))
+ return nil
+}
+
+// RunUninstall By default, we only uninstall instances of the Envoy Gateway resources.
+func (pt *PackageTool) RunUninstall(opts *PackageOptions) error {
+
+ pt.setUninstallOptions(opts)
+
+ resp, err := pt.actionUninstall.Run(opts.ReleaseName)
+ if err != nil {
+ return fmt.Errorf("failed to uninstall envoy gateway: %w", err)
+ }
+
+ if opts.DryRun {
+ pt.logger.Println(resp.Release.Manifest)
+ return nil
+ }
+
+ if opts.WithCRD {
+
+ if crdInfo, err := pt.extractCRDs(resp.Release.Chart); err != nil {
+ return err
+ } else if len(crdInfo) == 0 {
+ return fmt.Errorf("CRDs not found in the envoy gateway chart")
+ } else if _, errors := pt.actionConfig.KubeClient.Delete(crdInfo); len(errors) != 0 {
+ return fmt.Errorf("failed to delete CRDs error: %s", util.MultipleErrors("", errors))
+ }
+
+ }
+
+ successMarker := color.New(color.FgGreen).Add(color.Bold).Sprintf("SUCCESS")
+ pt.logger.Println(fmt.Sprintf("%s: Envoy gateway uninstalled", successMarker))
+ return nil
+}
+
+// setCommonValue Set the common values needed for the installation chart.
+// We are not currently considering allowing users to define the following values
+func (pt *PackageTool) setCommonValue() {
+ pt.actionInstall.CreateNamespace = true
+ pt.actionInstall.GenerateName = false
+ pt.actionInstall.Description = "envoy gateway was installed using the egctl"
+}
+
+// setInstallOptions Sets the options required before install
+func (pt *PackageTool) setInstallOptions(opts *PackageOptions) {
+
+ if opts.DryRun {
+ // When dry-run is set up, we do not need to connect to k8s-api server.
+ // Since the kubernetes version needs to be higher than the value in the Helm library
+ // for client component running, we set a fake K8s version.
+ pt.actionInstall.ClientOnly = true
+ pt.actionInstall.KubeVersion = createDummyK8sVersion()
+ }
+
+ // Since we already installed CRDs before installing the instance resources,
+ // we skip the installation of CRDs.
+ pt.actionInstall.SkipCRDs = true
+
+ pt.actionInstall.DryRun = opts.DryRun
+ pt.actionInstall.Timeout = opts.Timeout
+ pt.actionInstall.ReleaseName = opts.ReleaseName
+ pt.actionInstall.Namespace = opts.ReleaseNamespace
+
+ // If '--atomic' is set, installed resources will be deleted if part of the installation fails.
+ // However, after setting '--atomic', the default setting is '--wait' to wait for
+ // resource installation in the foreground.
+ // For the correctness of installation, we do not provide '--wait' flags and
+ // always choose the foreground waiting strategy to install resources.
+ pt.actionInstall.Atomic = true
+}
+
+// setUninstallOptions Sets the options required before uninstall
+func (pt *PackageTool) setUninstallOptions(opts *PackageOptions) {
+ pt.actionUninstall.DisableHooks = false
+ pt.actionUninstall.KeepHistory = false
+
+ pt.actionUninstall.DryRun = opts.DryRun
+
+ if opts.Wait {
+ pt.actionUninstall.Wait = opts.Wait
+ pt.actionUninstall.DeletionPropagation = "foreground"
+ } else {
+ pt.actionUninstall.DeletionPropagation = "background"
+ }
+}
+
+// SetPreRun This will perform the necessary preparations before initializing the PackageTool
+func (pt *PackageTool) SetPreRun(cmd *cobra.Command) {
+ existPreRunE := cmd.PreRunE
+ cmd.PreRunE = func(cmd *cobra.Command, args []string) error {
+
+ pt.setPrinter(cmd)
+ pt.setNamespace(cmd)
+
+ return existPreRunE(cmd, args)
+ }
+}
+
+// setNamespace We will set the namespace to EnvSettings before the PackageTool is set up
+// This is to ensure that the namespace is correctly populated before we build the install/uninstall action cmd
+func (pt *PackageTool) setNamespace(cmd *cobra.Command) {
+ ns, err := cmd.Flags().GetString("namespace")
+ if err != nil {
+ ns = egReleaseNamespace
+ }
+ pt.envSettings.SetNamespace(ns)
+}
+
+// SetPrinter We will build the logger before the PackageTool is set up
+func (pt *PackageTool) setPrinter(cmd *cobra.Command) {
+ debug, err := cmd.Flags().GetBool("debug")
+ if err != nil {
+ debug = true
+ }
+ printer := NewPrinterForWriter(cmd.OutOrStdout(), debug)
+ pt.logger = printer
+}
+
+// installableChart Make sure the chart can be installed
+// ref: https://helm.sh/docs/topics/charts/#chart-types
+func installableChart(ch *chart.Chart) bool {
+ if len(ch.Metadata.Type) == 0 || ch.Metadata.Type == "application" {
+ return true
+ }
+ return false
+}
+
+// createDummyK8sVersion Create a fake KubeVersion
+func createDummyK8sVersion() *chartutil.KubeVersion {
+ dummyVersion := "v9.9.9"
+ sv, _ := semver.NewVersion(dummyVersion)
+
+ return &chartutil.KubeVersion{
+ Version: dummyVersion,
+ Major: strconv.FormatUint(sv.Major(), 10),
+ Minor: strconv.FormatUint(sv.Minor(), 10),
+ }
+}
+
+// detectExistCRDs Check if envoy-gateway and gateway-api CRDs already exist in the cluster
+func detectExistCRDs(crdResInfo []*resource.Info) (*bool, error) {
+
+ exist := false
+ existObj := make([]runtime.Object, 0, len(crdResInfo))
+
+ for _, info := range crdResInfo {
+ helper := resource.NewHelper(info.Client, info.Mapping)
+ obj, err := helper.Get(info.Namespace, info.Name)
+ if err != nil {
+ if kerrors.IsNotFound(err) {
+ continue
+ }
+ return nil, fmt.Errorf("failed to detect the crds resource: %w", err)
+ }
+ existObj = append(existObj, obj)
+ }
+
+ if len(existObj) == 0 {
+ return &exist, nil
+ }
+ if len(existObj) == len(crdResInfo) {
+ exist = true
+ return &exist, nil
+ }
+
+ return nil, fmt.Errorf("expected CRDs does not match the number of CRDS that actually exist")
+}
+
+// installCRDs Install CRDs to the cluster
+func installCRDs(crds []*resource.Info, actionConfig *action.Configuration) error {
+
+ // Create all CRDs in the envoy gateway chart
+ result, err := actionConfig.KubeClient.Create(crds)
+ if err != nil {
+ return fmt.Errorf("failed to create CRDs: %w", err)
+ }
+
+ // We invalidate the cache and let it rebuild the cache,
+ // at which point no more updated CRDs exist
+ client, err := actionConfig.RESTClientGetter.ToDiscoveryClient()
+ if err != nil {
+ return err
+ }
+ client.Invalidate()
+
+ // Wait the specified amount of time for the resource to be recognized by the cluster
+ if err := actionConfig.KubeClient.Wait(result.Created, 60*time.Second); err != nil {
+ return err
+ }
+ _, err = client.ServerGroups()
+ return err
+}
+
+type Printer interface {
+ Printf(format string, a ...any)
+ Println(string)
+}
+
+func NewPrinterForWriter(w io.Writer, debug bool) Printer {
+ return &writerPrinter{writer: w, debug: debug}
+}
+
+type writerPrinter struct {
+ writer io.Writer
+ debug bool
+}
+
+func (w *writerPrinter) Printf(format string, a ...any) {
+ if w.debug {
+ _, _ = fmt.Fprintln(w.writer, fmt.Sprintf(format, a...))
+ }
+}
+
+func (w *writerPrinter) Println(str string) {
+ _, _ = fmt.Fprintln(w.writer, str)
+}
diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go
index 5fbc63d66a4..4794c7374cc 100644
--- a/internal/xds/bootstrap/bootstrap.go
+++ b/internal/xds/bootstrap/bootstrap.go
@@ -69,6 +69,8 @@ type bootstrapParameters struct {
// StatsMatcher is to control creation of custom Envoy stats with prefix,
// suffix, and regex expressions match on the name of the stats.
StatsMatcher *StatsMatcherParameters
+ // OverloadManager defines the configuration of the Envoy overload manager.
+ OverloadManager overloadManagerParameters
}
type xdsServerParameters struct {
@@ -110,6 +112,15 @@ type StatsMatcherParameters struct {
RegularExpressions []string
}
+type overloadManagerParameters struct {
+ MaxHeapSizeBytes uint64
+}
+
+type RenderBootsrapConfigOptions struct {
+ ProxyMetrics *egv1a1.ProxyMetrics
+ MaxHeapSizeBytes uint64
+}
+
// render the stringified bootstrap config in yaml format.
func (b *bootstrapConfig) render() error {
buf := new(strings.Builder)
@@ -122,14 +133,16 @@ func (b *bootstrapConfig) render() error {
}
// GetRenderedBootstrapConfig renders the bootstrap YAML string
-func GetRenderedBootstrapConfig(proxyMetrics *egv1a1.ProxyMetrics) (string, error) {
+func GetRenderedBootstrapConfig(opts *RenderBootsrapConfigOptions) (string, error) {
var (
enablePrometheus = true
metricSinks []metricSink
StatsMatcher StatsMatcherParameters
)
- if proxyMetrics != nil {
+ if opts != nil && opts.ProxyMetrics != nil {
+ proxyMetrics := opts.ProxyMetrics
+
if proxyMetrics.Prometheus != nil {
enablePrometheus = !proxyMetrics.Prometheus.Disable
}
@@ -198,10 +211,14 @@ func GetRenderedBootstrapConfig(proxyMetrics *egv1a1.ProxyMetrics) (string, erro
OtelMetricSinks: metricSinks,
},
}
- if proxyMetrics != nil && proxyMetrics.Matches != nil {
+ if opts != nil && opts.ProxyMetrics != nil && opts.ProxyMetrics.Matches != nil {
cfg.parameters.StatsMatcher = &StatsMatcher
}
+ if opts != nil {
+ cfg.parameters.OverloadManager.MaxHeapSizeBytes = opts.MaxHeapSizeBytes
+ }
+
if err := cfg.render(); err != nil {
return "", err
}
diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl
index b1b97905ecd..1c2a2f12edf 100644
--- a/internal/xds/bootstrap/bootstrap.yaml.tpl
+++ b/internal/xds/bootstrap/bootstrap.yaml.tpl
@@ -176,3 +176,27 @@ static_resources:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ {{- with .OverloadManager.MaxHeapSizeBytes }}
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: {{ . }}
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
+ {{- end }}
diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go
index 06e8f731d50..2bfa874d653 100644
--- a/internal/xds/bootstrap/bootstrap_test.go
+++ b/internal/xds/bootstrap/bootstrap_test.go
@@ -20,35 +20,41 @@ import (
func TestGetRenderedBootstrapConfig(t *testing.T) {
cases := []struct {
- name string
- proxyMetrics *egv1a1.ProxyMetrics
+ name string
+ opts *RenderBootsrapConfigOptions
}{
{
name: "disable-prometheus",
- proxyMetrics: &egv1a1.ProxyMetrics{
- Prometheus: &egv1a1.ProxyPrometheusProvider{
- Disable: true,
+ opts: &RenderBootsrapConfigOptions{
+ ProxyMetrics: &egv1a1.ProxyMetrics{
+ Prometheus: &egv1a1.ProxyPrometheusProvider{
+ Disable: true,
+ },
},
},
},
{
name: "enable-prometheus",
- proxyMetrics: &egv1a1.ProxyMetrics{
- Prometheus: &egv1a1.ProxyPrometheusProvider{},
+ opts: &RenderBootsrapConfigOptions{
+ ProxyMetrics: &egv1a1.ProxyMetrics{
+ Prometheus: &egv1a1.ProxyPrometheusProvider{},
+ },
},
},
{
name: "otel-metrics",
- proxyMetrics: &egv1a1.ProxyMetrics{
- Prometheus: &egv1a1.ProxyPrometheusProvider{
- Disable: true,
- },
- Sinks: []egv1a1.ProxyMetricSink{
- {
- Type: egv1a1.MetricSinkTypeOpenTelemetry,
- OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{
- Host: "otel-collector.monitoring.svc",
- Port: 4317,
+ opts: &RenderBootsrapConfigOptions{
+ ProxyMetrics: &egv1a1.ProxyMetrics{
+ Prometheus: &egv1a1.ProxyPrometheusProvider{
+ Disable: true,
+ },
+ Sinks: []egv1a1.ProxyMetricSink{
+ {
+ Type: egv1a1.MetricSinkTypeOpenTelemetry,
+ OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{
+ Host: "otel-collector.monitoring.svc",
+ Port: 4317,
+ },
},
},
},
@@ -56,36 +62,44 @@ func TestGetRenderedBootstrapConfig(t *testing.T) {
},
{
name: "custom-stats-matcher",
- proxyMetrics: &egv1a1.ProxyMetrics{
- Matches: []egv1a1.StringMatch{
- {
- Type: ptr.To(egv1a1.StringMatchExact),
- Value: "http.foo.bar.cluster.upstream_rq",
- },
- {
- Type: ptr.To(egv1a1.StringMatchPrefix),
- Value: "http",
- },
- {
- Type: ptr.To(egv1a1.StringMatchSuffix),
- Value: "upstream_rq",
- },
- {
- Type: ptr.To(egv1a1.StringMatchRegularExpression),
- Value: "virtual.*",
- },
- {
- Type: ptr.To(egv1a1.StringMatchPrefix),
- Value: "cluster",
+ opts: &RenderBootsrapConfigOptions{
+ ProxyMetrics: &egv1a1.ProxyMetrics{
+ Matches: []egv1a1.StringMatch{
+ {
+ Type: ptr.To(egv1a1.StringMatchExact),
+ Value: "http.foo.bar.cluster.upstream_rq",
+ },
+ {
+ Type: ptr.To(egv1a1.StringMatchPrefix),
+ Value: "http",
+ },
+ {
+ Type: ptr.To(egv1a1.StringMatchSuffix),
+ Value: "upstream_rq",
+ },
+ {
+ Type: ptr.To(egv1a1.StringMatchRegularExpression),
+ Value: "virtual.*",
+ },
+ {
+ Type: ptr.To(egv1a1.StringMatchPrefix),
+ Value: "cluster",
+ },
},
},
},
},
+ {
+ name: "with-max-heap-size-bytes",
+ opts: &RenderBootsrapConfigOptions{
+ MaxHeapSizeBytes: 1073741824,
+ },
+ },
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
- got, err := GetRenderedBootstrapConfig(tc.proxyMetrics)
+ got, err := GetRenderedBootstrapConfig(tc.opts)
require.NoError(t, err)
if *overrideTestData {
diff --git a/internal/xds/bootstrap/testdata/merge/default.out.yaml b/internal/xds/bootstrap/testdata/merge/default.out.yaml
index d386f8c5bdb..0fc11f219be 100644
--- a/internal/xds/bootstrap/testdata/merge/default.out.yaml
+++ b/internal/xds/bootstrap/testdata/merge/default.out.yaml
@@ -35,6 +35,13 @@ layeredRuntime:
rtdsConfig:
ads: {}
resourceApiVersion: V3
+overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml
index 2471257d4c3..c805025fd13 100644
--- a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml
+++ b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml
@@ -29,6 +29,13 @@ layeredRuntime:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
+overloadManager:
+ refreshInterval: 0.250s
+ resourceMonitors:
+ - name: envoy.resource_monitors.global_downstream_max_connections
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ maxActiveDownstreamConnections: "50000"
staticResources:
clusters:
- connectTimeout: 0.250s
diff --git a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml
index 3fbbaf4d63c..3a588cb9369 100644
--- a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml
+++ b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml
@@ -132,3 +132,10 @@ static_resources:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
diff --git a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml
index 880f16cc5d8..86b4ea3ee00 100644
--- a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml
+++ b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml
@@ -99,3 +99,10 @@ static_resources:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml
index 1830842ff58..347bccd5376 100644
--- a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml
+++ b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml
@@ -121,3 +121,10 @@ static_resources:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml
index 54e0a9d806e..db865b4cb8b 100644
--- a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml
+++ b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml
@@ -124,3 +124,10 @@ static_resources:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
+overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
diff --git a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml
new file mode 100644
index 00000000000..e79291a7bb0
--- /dev/null
+++ b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml
@@ -0,0 +1,145 @@
+admin:
+ access_log:
+ - name: envoy.access_loggers.file
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: /dev/null
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+layered_runtime:
+ layers:
+ - name: global_config
+ static_layer:
+ envoy.restart_features.use_eds_cache_for_ads: true
+ re2.max_program_size.error_level: 4294967295
+ re2.max_program_size.warn_level: 1000
+dynamic_resources:
+ ads_config:
+ api_type: DELTA_GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ lds_config:
+ ads: {}
+ resource_api_version: V3
+ cds_config:
+ ads: {}
+ resource_api_version: V3
+static_resources:
+ listeners:
+ - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ protocol: TCP
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: eg-ready-http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: prometheus_stats
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: /stats/prometheus
+ route:
+ cluster: prometheus_stats
+ http_filters:
+ - name: envoy.filters.http.health_check
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+ pass_through_mode: false
+ headers:
+ - name: ":path"
+ string_match:
+ exact: /ready
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: prometheus_stats
+ connect_timeout: 0.250s
+ type: STATIC
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: prometheus_stats
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ - connect_timeout: 10s
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - load_balancing_weight: 1
+ lb_endpoints:
+ - load_balancing_weight: 1
+ endpoint:
+ address:
+ socket_address:
+ address: envoy-gateway
+ port_value: 18000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 30s
+ timeout: 5s
+ name: xds_cluster
+ type: STRICT_DNS
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_maximum_protocol_version: TLSv1_3
+ tls_certificate_sds_secret_configs:
+ - name: xds_certificate
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-certificate.json"
+ resource_api_version: V3
+ validation_context_sds_secret_config:
+ name: xds_trusted_ca
+ sds_config:
+ path_config_source:
+ path: "/sds/xds-trusted-ca.json"
+ resource_api_version: V3
+overload_manager:
+ refresh_interval: 0.25s
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ - name: "envoy.resource_monitors.fixed_heap"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig
+ max_heap_size_bytes: 1073741824
+ actions:
+ - name: "envoy.overload_actions.shrink_heap"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.95
+ - name: "envoy.overload_actions.stop_accepting_requests"
+ triggers:
+ - name: "envoy.resource_monitors.fixed_heap"
+ threshold:
+ value: 0.98
diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go
index 720cd7dddd6..f9c88d58175 100644
--- a/internal/xds/translator/basicauth.go
+++ b/internal/xds/translator/basicauth.go
@@ -108,15 +108,9 @@ func basicAuthConfig(basicAuth *ir.BasicAuth) *basicauthv3.BasicAuth {
// routeContainsBasicAuth returns true if BasicAuth exists for the provided route.
func routeContainsBasicAuth(irRoute *ir.HTTPRoute) bool {
- if irRoute == nil {
- return false
- }
-
- if irRoute != nil &&
- irRoute.BasicAuth != nil {
+ if irRoute != nil && irRoute.BasicAuth != nil {
return true
}
-
return false
}
diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go
index 576c1233a11..0d2593f9cc6 100644
--- a/internal/xds/translator/cluster.go
+++ b/internal/xds/translator/cluster.go
@@ -206,6 +206,7 @@ func buildXdsHealthCheck(healthcheck *ir.ActiveHealthCheck) []*corev3.HealthChec
}
if healthcheck.HTTP != nil {
httpChecker := &corev3.HealthCheck_HttpHealthCheck{
+ Host: healthcheck.HTTP.Host,
Path: healthcheck.HTTP.Path,
}
if healthcheck.HTTP.Method != nil {
diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
index 9720ffb341d..eb79779f8e9 100644
--- a/internal/xds/translator/extauth.go
+++ b/internal/xds/translator/extauth.go
@@ -202,15 +202,9 @@ func grpcService(grpc *ir.GRPCExtAuthService) *corev3.GrpcService_EnvoyGrpc {
// routeContainsExtAuth returns true if ExtAuth exists for the provided route.
func routeContainsExtAuth(irRoute *ir.HTTPRoute) bool {
- if irRoute == nil {
- return false
- }
-
- if irRoute != nil &&
- irRoute.ExtAuth != nil {
+ if irRoute != nil && irRoute.ExtAuth != nil {
return true
}
-
return false
}
@@ -244,40 +238,6 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable,
return errs
}
-func createExtServiceXDSCluster(rd *ir.RouteDestination, tCtx *types.ResourceVersionTable) error {
- var (
- endpointType EndpointType
- tSocket *corev3.TransportSocket
- err error
- )
-
- // Get the address type from the first setting.
- // This is safe because no mixed address types in the settings.
- addrTypeState := rd.Settings[0].AddressType
- if addrTypeState != nil && *addrTypeState == ir.FQDN {
- endpointType = EndpointTypeDNS
- } else {
- endpointType = EndpointTypeStatic
- }
-
- if rd.Settings[0].TLS != nil {
- tSocket, err = processTLSSocket(rd.Settings[0].TLS, tCtx)
- if err != nil {
- return err
- }
- }
-
- if err = addXdsCluster(tCtx, &xdsClusterArgs{
- name: rd.Name,
- settings: rd.Settings,
- tSocket: tSocket,
- endpointType: endpointType,
- }); err != nil && !errors.Is(err, ErrXdsClusterExists) {
- return err
- }
- return nil
-}
-
// patchRoute patches the provided route with the extAuth config if applicable.
// Note: this method enables the corresponding extAuth filter for the provided route.
func (*extAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
diff --git a/internal/xds/translator/extproc.go b/internal/xds/translator/extproc.go
new file mode 100644
index 00000000000..19dd8480753
--- /dev/null
+++ b/internal/xds/translator/extproc.go
@@ -0,0 +1,175 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package translator
+
+import (
+ "errors"
+
+ corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+ routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ extprocv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3"
+ hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+ "github.com/golang/protobuf/ptypes/duration"
+ "google.golang.org/protobuf/types/known/anypb"
+
+ "github.com/envoyproxy/gateway/internal/ir"
+ "github.com/envoyproxy/gateway/internal/xds/types"
+)
+
+const (
+ extProcFilter = "envoy.filters.http.ext_proc"
+)
+
+func init() {
+ registerHTTPFilter(&extProc{})
+}
+
+type extProc struct {
+}
+
+var _ httpFilter = &extProc{}
+
+// patchHCM builds and appends the ext_authz Filters to the HTTP Connection Manager
+// if applicable, and it does not already exist.
+// Note: this method creates an ext_authz filter for each route that contains an ExtAuthz config.
+// The filter is disabled by default. It is enabled on the route level.
+func (*extProc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error {
+ var errs error
+
+ if mgr == nil {
+ return errors.New("hcm is nil")
+ }
+
+ if irListener == nil {
+ return errors.New("ir listener is nil")
+ }
+
+ for _, route := range irListener.Routes {
+ if !routeContainsExtProc(route) {
+ continue
+ }
+
+ for _, ep := range route.ExtProcs {
+ if hcmContainsFilter(mgr, extProcFilterName(ep)) {
+ continue
+ }
+
+ filter, err := buildHCMExtProcFilter(ep)
+ if err != nil {
+ errs = errors.Join(errs, err)
+ continue
+ }
+
+ mgr.HttpFilters = append(mgr.HttpFilters, filter)
+ }
+ }
+
+ return errs
+}
+
+// buildHCMExtProcFilter returns an ext_authp HTTP filter from the provided IR HTTPRoute.
+func buildHCMExtProcFilter(extProc ir.ExtProc) (*hcmv3.HttpFilter, error) {
+ extAuthProto := extProcConfig(extProc)
+ if err := extAuthProto.ValidateAll(); err != nil {
+ return nil, err
+ }
+
+ extAuthAny, err := anypb.New(extAuthProto)
+ if err != nil {
+ return nil, err
+ }
+
+ // All extproc filters for all Routes are aggregated on HCM and disabled by default
+ // Per-route config is used to enable the relevant filters on appropriate routes
+ return &hcmv3.HttpFilter{
+ Name: extProcFilterName(extProc),
+ Disabled: true,
+ ConfigType: &hcmv3.HttpFilter_TypedConfig{
+ TypedConfig: extAuthAny,
+ },
+ }, nil
+}
+
+func extProcFilterName(extProc ir.ExtProc) string {
+ return perRouteFilterName(extProcFilter, extProc.Name)
+}
+
+func extProcConfig(extProc ir.ExtProc) *extprocv3.ExternalProcessor {
+ config := &extprocv3.ExternalProcessor{
+ GrpcService: &corev3.GrpcService{
+ TargetSpecifier: &corev3.GrpcService_EnvoyGrpc_{
+ EnvoyGrpc: grpcExtProcService(extProc),
+ },
+ Timeout: &duration.Duration{
+ Seconds: defaultExtServiceRequestTimeout,
+ },
+ },
+ }
+
+ return config
+}
+
+func grpcExtProcService(extProc ir.ExtProc) *corev3.GrpcService_EnvoyGrpc {
+ return &corev3.GrpcService_EnvoyGrpc{
+ ClusterName: extProc.Destination.Name,
+ Authority: extProc.Authority,
+ }
+}
+
+// routeContainsExtProc returns true if ExtProcs exists for the provided route.
+func routeContainsExtProc(irRoute *ir.HTTPRoute) bool {
+ if irRoute == nil {
+ return false
+ }
+
+ return len(irRoute.ExtProcs) > 0
+}
+
+// patchResources patches the cluster resources for the external auth services.
+func (*extProc) patchResources(tCtx *types.ResourceVersionTable,
+ routes []*ir.HTTPRoute) error {
+ if tCtx == nil || tCtx.XdsResources == nil {
+ return errors.New("xds resource table is nil")
+ }
+
+ var errs error
+ for _, route := range routes {
+ if !routeContainsExtProc(route) {
+ continue
+ }
+
+ for i := range route.ExtProcs {
+ ep := route.ExtProcs[i]
+ if err := createExtServiceXDSCluster(
+ &ep.Destination, tCtx); err != nil && !errors.Is(
+ err, ErrXdsClusterExists) {
+ errs = errors.Join(errs, err)
+ }
+ }
+
+ }
+
+ return errs
+}
+
+// patchRoute patches the provided route with the extProc config if applicable.
+// Note: this method enables the corresponding extProc filter for the provided route.
+func (*extProc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+ if route == nil {
+ return errors.New("xds route is nil")
+ }
+ if irRoute == nil {
+ return errors.New("ir route is nil")
+ }
+
+ for _, ep := range irRoute.ExtProcs {
+ filterName := extProcFilterName(ep)
+ if err := enableFilterOnRoute(route, filterName); err != nil {
+ return err
+ }
+ }
+ return nil
+}
diff --git a/internal/xds/translator/fault.go b/internal/xds/translator/fault.go
index 3b622097a66..ae01b566c84 100644
--- a/internal/xds/translator/fault.go
+++ b/internal/xds/translator/fault.go
@@ -59,7 +59,7 @@ func (*fault) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPList
}
}
- faultFilter, err := buildHCMFaultFilter(irListener)
+ faultFilter, err := buildHCMFaultFilter()
if err != nil {
return err
}
@@ -69,8 +69,8 @@ func (*fault) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPList
}
// buildHCMFaultFilter returns a basic_auth HTTP filter from the provided IR HTTPRoute.
-func buildHCMFaultFilter(irListener *ir.HTTPListener) (*hcmv3.HttpFilter, error) {
- faultProto := faultConfig(irListener)
+func buildHCMFaultFilter() (*hcmv3.HttpFilter, error) {
+ faultProto := &xdshttpfaultv3.HTTPFault{}
if err := faultProto.ValidateAll(); err != nil {
return nil, err
@@ -89,10 +89,6 @@ func buildHCMFaultFilter(irListener *ir.HTTPListener) (*hcmv3.HttpFilter, error)
}, nil
}
-func faultConfig(irListener *ir.HTTPListener) *xdshttpfaultv3.HTTPFault {
- return &xdshttpfaultv3.HTTPFault{}
-}
-
// listenerContainsFault returns true if Fault exists for the provided listener.
func listenerContainsFault(irListener *ir.HTTPListener) bool {
for _, route := range irListener.Routes {
@@ -105,15 +101,9 @@ func listenerContainsFault(irListener *ir.HTTPListener) bool {
// routeContainsFault returns true if Fault exists for the provided route.
func routeContainsFault(irRoute *ir.HTTPRoute) bool {
- if irRoute == nil {
- return false
- }
-
- if irRoute != nil &&
- irRoute.FaultInjection != nil {
+ if irRoute != nil && irRoute.FaultInjection != nil {
return true
}
-
return false
}
diff --git a/internal/xds/translator/httpfilters.go b/internal/xds/translator/httpfilters.go
index c77cc8097ed..ca4e6bb64c3 100644
--- a/internal/xds/translator/httpfilters.go
+++ b/internal/xds/translator/httpfilters.go
@@ -74,7 +74,9 @@ type OrderedHTTPFilters []*OrderedHTTPFilter
// newOrderedHTTPFilter gives each HTTP filter a rational order.
// This is needed because the order of the filters is important.
-// For example, the cors filter should be put at the first to avoid unnecessary
+// For example, the fault filter should be placed in the first position because
+// it doesn't rely on the functionality of other filters, and rejecting early can save computation costs
+// for the remaining filters, the cors filter should be put at the second to avoid unnecessary
// processing of other filters for unauthorized cross-region access.
// The router filter must be the last one since it's a terminal filter.
//
@@ -86,23 +88,27 @@ func newOrderedHTTPFilter(filter *hcmv3.HttpFilter) *OrderedHTTPFilter {
order := 50
// Set a rational order for all the filters.
+ // When the fault filter is configured to be at the first, the computation of
+ // the remaining filters is skipped when rejected early
switch {
- case filter.Name == wellknown.CORS:
+ case filter.Name == wellknown.Fault:
order = 1
- case isFilterType(filter, extAuthFilter):
+ case filter.Name == wellknown.CORS:
order = 2
- case isFilterType(filter, basicAuthFilter):
+ case isFilterType(filter, extAuthFilter):
order = 3
- case isFilterType(filter, oauth2Filter):
+ case isFilterType(filter, basicAuthFilter):
order = 4
- case filter.Name == jwtAuthn:
+ case isFilterType(filter, oauth2Filter):
order = 5
- case filter.Name == wellknown.Fault:
+ case filter.Name == jwtAuthn:
order = 6
- case filter.Name == localRateLimitFilter:
+ case filter.Name == extProcFilter:
order = 7
- case filter.Name == wellknown.HTTPRateLimit:
+ case filter.Name == localRateLimitFilter:
order = 8
+ case filter.Name == wellknown.HTTPRateLimit:
+ order = 9
case filter.Name == wellknown.Router:
order = 100
}
diff --git a/internal/xds/translator/httpfilters_test.go b/internal/xds/translator/httpfilters_test.go
index c23f681efd8..47cd118da58 100644
--- a/internal/xds/translator/httpfilters_test.go
+++ b/internal/xds/translator/httpfilters_test.go
@@ -32,12 +32,12 @@ func Test_sortHTTPFilters(t *testing.T) {
httpFilterForTest(extAuthFilter + "-route1"),
},
want: []*hcmv3.HttpFilter{
+ httpFilterForTest(wellknown.Fault),
httpFilterForTest(wellknown.CORS),
httpFilterForTest(extAuthFilter + "-route1"),
httpFilterForTest(basicAuthFilter + "-route1"),
httpFilterForTest(oauth2Filter + "-route1"),
httpFilterForTest(jwtAuthn),
- httpFilterForTest(wellknown.Fault),
httpFilterForTest(wellknown.HTTPRateLimit),
httpFilterForTest(wellknown.Router),
},
diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
index 1fa26376d92..72e8029f1c4 100644
--- a/internal/xds/translator/jwt.go
+++ b/internal/xds/translator/jwt.go
@@ -323,17 +323,12 @@ func listenerContainsJWTAuthn(irListener *ir.HTTPListener) bool {
// routeContainsJWTAuthn returns true if JWT authentication exists for the
// provided route.
func routeContainsJWTAuthn(irRoute *ir.HTTPRoute) bool {
- if irRoute == nil {
- return false
- }
-
if irRoute != nil &&
irRoute.JWT != nil &&
irRoute.JWT.Providers != nil &&
len(irRoute.JWT.Providers) > 0 {
return true
}
-
return false
}
diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go
index d84fc58c4e9..9d470edbe35 100644
--- a/internal/xds/translator/listener.go
+++ b/internal/xds/translator/listener.go
@@ -133,14 +133,15 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin
// buildXdsTCPListener creates a xds Listener resource
// TODO: Improve function parameters
-func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKeepalive, accesslog *ir.AccessLog) *listenerv3.Listener {
+func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKeepalive, connection *ir.Connection, accesslog *ir.AccessLog) *listenerv3.Listener {
socketOptions := buildTCPSocketOptions(keepalive)
al := buildXdsAccessLog(accesslog, true)
+ bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection)
return &listenerv3.Listener{
Name: name,
AccessLog: al,
SocketOptions: socketOptions,
- PerConnectionBufferLimitBytes: wrapperspb.UInt32(tcpListenerPerConnectionBufferLimitBytes),
+ PerConnectionBufferLimitBytes: bufferLimitBytes,
Address: &corev3.Address{
Address: &corev3.Address_SocketAddress{
SocketAddress: &corev3.SocketAddress{
@@ -158,6 +159,13 @@ func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKee
}
}
+func buildPerConnectionBufferLimitBytes(connection *ir.Connection) *wrapperspb.UInt32Value {
+ if connection != nil && connection.BufferLimitBytes != nil {
+ return wrapperspb.UInt32(*connection.BufferLimitBytes)
+ }
+ return wrapperspb.UInt32(tcpListenerPerConnectionBufferLimitBytes)
+}
+
// buildXdsQuicListener creates a xds Listener resource for quic
func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) *listenerv3.Listener {
xdsListener := &listenerv3.Listener{
@@ -236,13 +244,19 @@ func (t *Translator) addXdsHTTPFilterChain(xdsListener *listenerv3.Listener, irL
MergeSlashes: irListener.Path.MergeSlashes,
PathWithEscapedSlashesAction: translateEscapePath(irListener.Path.EscapedSlashesAction),
CommonHttpProtocolOptions: &corev3.HttpProtocolOptions{
- HeadersWithUnderscoresAction: corev3.HttpProtocolOptions_REJECT_REQUEST,
+ HeadersWithUnderscoresAction: buildHeadersWithUnderscoresAction(irListener.Headers),
},
Tracing: hcmTracing,
}
- if irListener.Timeout != nil && irListener.Timeout.HTTP != nil && irListener.Timeout.HTTP.RequestReceivedTimeout != nil {
- mgr.RequestTimeout = durationpb.New(irListener.Timeout.HTTP.RequestReceivedTimeout.Duration)
+ if irListener.Timeout != nil && irListener.Timeout.HTTP != nil {
+ if irListener.Timeout.HTTP.RequestReceivedTimeout != nil {
+ mgr.RequestTimeout = durationpb.New(irListener.Timeout.HTTP.RequestReceivedTimeout.Duration)
+ }
+
+ if irListener.Timeout.HTTP.IdleTimeout != nil {
+ mgr.CommonHttpProtocolOptions.IdleTimeout = durationpb.New(irListener.Timeout.HTTP.IdleTimeout.Duration)
+ }
}
// Add the proxy protocol filter if needed
@@ -266,7 +280,7 @@ func (t *Translator) addXdsHTTPFilterChain(xdsListener *listenerv3.Listener, irL
var filters []*listenerv3.Filter
- if connection != nil && connection.Limit != nil {
+ if connection != nil && connection.ConnectionLimit != nil {
cl := buildConnectionLimitFilter(statPrefix, connection)
if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
filters = append(filters, clf)
@@ -382,7 +396,7 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPLi
var filters []*listenerv3.Filter
- if connection != nil && connection.Limit != nil {
+ if connection != nil && connection.ConnectionLimit != nil {
cl := buildConnectionLimitFilter(statPrefix, connection)
if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
filters = append(filters, clf)
@@ -423,11 +437,11 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPLi
func buildConnectionLimitFilter(statPrefix string, connection *ir.Connection) *connection_limitv3.ConnectionLimit {
cl := &connection_limitv3.ConnectionLimit{
StatPrefix: statPrefix,
- MaxConnections: wrapperspb.UInt64(*connection.Limit.Value),
+ MaxConnections: wrapperspb.UInt64(*connection.ConnectionLimit.Value),
}
- if connection.Limit.CloseDelay != nil {
- cl.Delay = durationpb.New(connection.Limit.CloseDelay.Duration)
+ if connection.ConnectionLimit.CloseDelay != nil {
+ cl.Delay = durationpb.New(connection.ConnectionLimit.CloseDelay.Duration)
}
return cl
}
@@ -737,3 +751,17 @@ func buildTCPProxyHashPolicy(lb *ir.LoadBalancer) []*typev3.HashPolicy {
return nil
}
+
+func buildHeadersWithUnderscoresAction(in *ir.HeaderSettings) corev3.HttpProtocolOptions_HeadersWithUnderscoresAction {
+ if in != nil {
+ switch in.WithUnderscoresAction {
+ case ir.WithUnderscoresActionAllow:
+ return corev3.HttpProtocolOptions_ALLOW
+ case ir.WithUnderscoresActionRejectRequest:
+ return corev3.HttpProtocolOptions_REJECT_REQUEST
+ case ir.WithUnderscoresActionDropHeader:
+ return corev3.HttpProtocolOptions_DROP_HEADER
+ }
+ }
+ return corev3.HttpProtocolOptions_REJECT_REQUEST
+}
diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
index 1910da4fb69..5b14a00f871 100644
--- a/internal/xds/translator/oidc.go
+++ b/internal/xds/translator/oidc.go
@@ -178,15 +178,9 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
// routeContainsOIDC returns true if OIDC exists for the provided route.
func routeContainsOIDC(irRoute *ir.HTTPRoute) bool {
- if irRoute == nil {
- return false
- }
-
- if irRoute != nil &&
- irRoute.OIDC != nil {
+ if irRoute != nil && irRoute.OIDC != nil {
return true
}
-
return false
}
diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go
index 22654bc8c45..fb894d66105 100644
--- a/internal/xds/translator/route.go
+++ b/internal/xds/translator/route.go
@@ -52,13 +52,23 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute) (*routev3.Route, error) {
case httpRoute.DirectResponse != nil:
router.Action = &routev3.Route_DirectResponse{DirectResponse: buildXdsDirectResponseAction(httpRoute.DirectResponse)}
case httpRoute.Redirect != nil:
- router.Action = &routev3.Route_Redirect{Redirect: buildXdsRedirectAction(httpRoute.Redirect)}
+ router.Action = &routev3.Route_Redirect{Redirect: buildXdsRedirectAction(httpRoute)}
case httpRoute.URLRewrite != nil:
routeAction := buildXdsURLRewriteAction(httpRoute.Destination.Name, httpRoute.URLRewrite, httpRoute.PathMatch)
if httpRoute.Mirrors != nil {
routeAction.RequestMirrorPolicies = buildXdsRequestMirrorPolicies(httpRoute.Mirrors)
}
+ if !httpRoute.IsHTTP2 {
+ // Allow websocket upgrades for HTTP 1.1
+ // Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism
+ routeAction.UpgradeConfigs = []*routev3.RouteAction_UpgradeConfig{
+ {
+ UpgradeType: "websocket",
+ },
+ }
+ }
+
router.Action = &routev3.Route_Route{Route: routeAction}
default:
var routeAction *routev3.RouteAction
@@ -269,8 +279,11 @@ func idleTimeout(httpRoute *ir.HTTPRoute) *durationpb.Duration {
return nil
}
-func buildXdsRedirectAction(redirection *ir.Redirect) *routev3.RedirectAction {
- routeAction := &routev3.RedirectAction{}
+func buildXdsRedirectAction(httpRoute *ir.HTTPRoute) *routev3.RedirectAction {
+ var (
+ redirection = httpRoute.Redirect
+ routeAction = &routev3.RedirectAction{}
+ )
if redirection.Scheme != nil {
routeAction.SchemeRewriteSpecifier = &routev3.RedirectAction_SchemeRedirect{
@@ -283,8 +296,14 @@ func buildXdsRedirectAction(redirection *ir.Redirect) *routev3.RedirectAction {
PathRedirect: *redirection.Path.FullReplace,
}
} else if redirection.Path.PrefixMatchReplace != nil {
- routeAction.PathRewriteSpecifier = &routev3.RedirectAction_PrefixRewrite{
- PrefixRewrite: *redirection.Path.PrefixMatchReplace,
+ if useRegexRewriteForPrefixMatchReplace(httpRoute.PathMatch, *redirection.Path.PrefixMatchReplace) {
+ routeAction.PathRewriteSpecifier = &routev3.RedirectAction_RegexRewrite{
+ RegexRewrite: prefix2RegexRewrite(*httpRoute.PathMatch.Prefix),
+ }
+ } else {
+ routeAction.PathRewriteSpecifier = &routev3.RedirectAction_PrefixRewrite{
+ PrefixRewrite: *redirection.Path.PrefixMatchReplace,
+ }
}
}
}
@@ -303,6 +322,24 @@ func buildXdsRedirectAction(redirection *ir.Redirect) *routev3.RedirectAction {
return routeAction
}
+// useRegexRewriteForPrefixMatchReplace checks if the regex rewrite should be used for prefix match replace
+// due to the issue with Envoy not handling the case of "//" when the replace string is "/".
+// See: https://github.com/envoyproxy/envoy/issues/26055
+func useRegexRewriteForPrefixMatchReplace(pathMatch *ir.StringMatch, prefixMatchReplace string) bool {
+ return pathMatch != nil &&
+ pathMatch.Prefix != nil &&
+ (prefixMatchReplace == "" || prefixMatchReplace == "/")
+}
+
+func prefix2RegexRewrite(prefix string) *matcherv3.RegexMatchAndSubstitute {
+ return &matcherv3.RegexMatchAndSubstitute{
+ Pattern: &matcherv3.RegexMatcher{
+ Regex: "^" + prefix + `\/*`,
+ },
+ Substitution: "/",
+ }
+}
+
func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMatch *ir.StringMatch) *routev3.RouteAction {
routeAction := &routev3.RouteAction{
ClusterSpecifier: &routev3.RouteAction_Cluster{
@@ -323,14 +360,8 @@ func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMa
// An empty replace string does not seem to solve the issue so we are using
// a regex match and replace instead
// Remove this workaround once https://github.com/envoyproxy/envoy/issues/26055 is fixed
- if pathMatch != nil && pathMatch.Prefix != nil &&
- (*urlRewrite.Path.PrefixMatchReplace == "" || *urlRewrite.Path.PrefixMatchReplace == "/") {
- routeAction.RegexRewrite = &matcherv3.RegexMatchAndSubstitute{
- Pattern: &matcherv3.RegexMatcher{
- Regex: "^" + *pathMatch.Prefix + `\/*`,
- },
- Substitution: "/",
- }
+ if useRegexRewriteForPrefixMatchReplace(pathMatch, *urlRewrite.Path.PrefixMatchReplace) {
+ routeAction.RegexRewrite = prefix2RegexRewrite(*pathMatch.Prefix)
} else {
routeAction.PrefixRewrite = *urlRewrite.Path.PrefixMatchReplace
}
diff --git a/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml b/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml
new file mode 100644
index 00000000000..44b8992a297
--- /dev/null
+++ b/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml
@@ -0,0 +1,21 @@
+http:
+ - name: "first-listener"
+ address: "0.0.0.0"
+ port: 10080
+ hostnames:
+ - "*"
+ path:
+ mergeSlashes: true
+ escapedSlashesAction: UnescapeAndRedirect
+ routes:
+ - name: "first-route"
+ hostname: "*"
+ destination:
+ name: "first-route-dest"
+ settings:
+ - endpoints:
+ - host: "1.2.3.4"
+ port: 50000
+ connection:
+ bufferLimit: 1500
+
diff --git a/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml b/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml
index 1c05b605a35..06c44b051db 100644
--- a/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml
@@ -19,4 +19,5 @@ http:
timeout:
http:
requestReceivedTimeout: "5s"
+ idleTimeout: "10s"
diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml
new file mode 100644
index 00000000000..170f1a3f2ea
--- /dev/null
+++ b/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml
@@ -0,0 +1,81 @@
+http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ envoyExtensionFeatures:
+ extProc:
+ - name: envoyextensionpolicy/default/policy-for-route-2/0
+ authority: grpc-backend-4.default:4000
+ destination:
+ name: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4
+ settings:
+ - protocol: GRPC
+ weight: 1
+ - name: envoyextensionpolicy/default/policy-for-route-1/0
+ authority: grpc-backend-2.default:8000
+ destination:
+ name: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2
+ settings:
+ - protocol: GRPC
+ weight: 1
+ hostname: gateway.envoyproxy.io
+ isHTTP2: false
+ name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
+ - backendWeights:
+ invalid: 0
+ valid: 0
+ destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ envoyExtensionFeatures:
+ extProc:
+ - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0
+ authority: grpc-backend-3.envoy-gateway:3000
+ destination:
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3
+ settings:
+ - protocol: GRPC
+ weight: 1
+ - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0
+ authority: grpc-backend.envoy-gateway:9000
+ destination:
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend
+ settings:
+ - protocol: GRPC
+ weight: 1
+ hostname: gateway.envoyproxy.io
+ isHTTP2: false
+ name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /bar
diff --git a/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml b/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml
new file mode 100644
index 00000000000..53b7076925c
--- /dev/null
+++ b/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml
@@ -0,0 +1,64 @@
+http:
+- name: "first-listener"
+ address: "0.0.0.0"
+ port: 8081
+ hostnames:
+ - "*"
+ routes:
+ - name: "first-route"
+ hostname: "*"
+ destination:
+ name: "first-route-dest"
+ settings:
+ - endpoints:
+ - host: "1.1.1.1"
+ port: 8081
+- name: "second-listener"
+ address: "0.0.0.0"
+ port: 8082
+ hostnames:
+ - "*"
+ routes:
+ - name: "second-route"
+ hostname: "*"
+ destination:
+ name: "second-route-dest"
+ settings:
+ - endpoints:
+ - host: "2.2.2.2"
+ port: 8082
+ headers:
+ withUnderscoresAction: Allow
+- name: "third-listener"
+ address: "0.0.0.0"
+ port: 8083
+ hostnames:
+ - "*"
+ routes:
+ - name: "third-route"
+ hostname: "*"
+ destination:
+ name: "third-route-dest"
+ settings:
+ - endpoints:
+ - host: "3.3.3.3"
+ port: 8083
+ headers:
+ withUnderscoresAction: RejectRequest
+- name: "fourth-listener"
+ address: "0.0.0.0"
+ port: 8084
+ hostnames:
+ - "*"
+ routes:
+ - name: "fourth-route"
+ hostname: "*"
+ destination:
+ name: "fourth-route-dest"
+ settings:
+ - endpoints:
+ - host: "4.4.4.4"
+ port: 8084
+ headers:
+ withUnderscoresAction: DropHeader
+
diff --git a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml
index ca5f9c0a1c8..a767bdab208 100644
--- a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml
@@ -17,6 +17,7 @@ http:
unhealthyThreshold: 3
healthyThreshold: 1
http:
+ host: "*"
path: "/healthz"
expectedResponse:
text: "ok"
@@ -46,6 +47,7 @@ http:
unhealthyThreshold: 3
healthyThreshold: 3
http:
+ host: "*"
path: "/healthz"
expectedResponse:
binary: "cG9uZw=="
diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml
index 1aadcbb76c7..36599609deb 100644
--- a/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml
@@ -9,7 +9,7 @@ http:
mergeSlashes: true
escapedSlashesAction: UnescapeAndRedirect
routes:
- - name: "redirect-route"
+ - name: "redirect-route-1"
hostname: "*"
destination:
name: "redirect-route-dest"
@@ -24,3 +24,29 @@ http:
port: 8443
path:
prefixMatchReplace: /redirected
+ - name: "redirect-route-2"
+ hostname: "*"
+ pathMatch:
+ prefix: "/redirect"
+ destination:
+ name: "redirect-route-dest"
+ settings:
+ - endpoints:
+ - host: "1.2.3.4"
+ port: 50000
+ redirect:
+ path:
+ prefixMatchReplace: /
+ - name: "redirect-route-3"
+ hostname: "*"
+ pathMatch:
+ prefix: "/redirect/"
+ destination:
+ name: "redirect-route-dest"
+ settings:
+ - endpoints:
+ - host: "1.2.3.4"
+ port: 50000
+ redirect:
+ path:
+ prefixMatchReplace: /
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml
new file mode 100644
index 00000000000..d53a7a1b2ce
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml
@@ -0,0 +1,17 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: first-route-dest
+ lbPolicy: LEAST_REQUEST
+ name: first-route-dest
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.endpoints.yaml
new file mode 100644
index 00000000000..3b3f2d09076
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.endpoints.yaml
@@ -0,0 +1,12 @@
+- clusterName: first-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 1.2.3.4
+ portValue: 50000
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: first-route-dest/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml
new file mode 100644
index 00000000000..2695956100e
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml
@@ -0,0 +1,34 @@
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 10080
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ mergeSlashes: true
+ normalizePath: true
+ pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: first-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: first-listener
+ perConnectionBufferLimitBytes: 1500
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.routes.yaml
new file mode 100644
index 00000000000..0b5b4bee7bb
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.routes.yaml
@@ -0,0 +1,14 @@
+- ignorePortInHostMatching: true
+ name: first-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: first-listener/*
+ routes:
+ - match:
+ prefix: /
+ name: first-route
+ route:
+ cluster: first-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml
index a84c776ac2e..bea4f4d1b22 100644
--- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml
@@ -9,6 +9,7 @@
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
commonHttpProtocolOptions:
headersWithUnderscoresAction: REJECT_REQUEST
+ idleTimeout: 10s
http2ProtocolOptions:
initialConnectionWindowSize: 1048576
initialStreamWindowSize: 65536
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml
new file mode 100755
index 00000000000..6a277bb94f6
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml
@@ -0,0 +1,34 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: httproute/default/httproute-1/rule/0
+ lbPolicy: LEAST_REQUEST
+ name: httproute/default/httproute-1/rule/0
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: httproute/default/httproute-2/rule/0
+ lbPolicy: LEAST_REQUEST
+ name: httproute/default/httproute-2/rule/0
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.endpoints.yaml
new file mode 100755
index 00000000000..05442a9a15b
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.endpoints.yaml
@@ -0,0 +1,24 @@
+- clusterName: httproute/default/httproute-1/rule/0
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 7.7.7.7
+ portValue: 8080
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: httproute/default/httproute-1/rule/0/backend/0
+- clusterName: httproute/default/httproute-2/rule/0
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 7.7.7.7
+ portValue: 8080
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: httproute/default/httproute-2/rule/0/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml
new file mode 100755
index 00000000000..a593a50af36
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml
@@ -0,0 +1,34 @@
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 10080
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ mergeSlashes: true
+ normalizePath: true
+ pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: envoy-gateway/gateway-1/http
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: envoy-gateway/gateway-1/http
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.routes.yaml
new file mode 100755
index 00000000000..a7002b63f87
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.routes.yaml
@@ -0,0 +1,21 @@
+- ignorePortInHostMatching: true
+ name: envoy-gateway/gateway-1/http
+ virtualHosts:
+ - domains:
+ - gateway.envoyproxy.io
+ name: envoy-gateway/gateway-1/http/gateway_envoyproxy_io
+ routes:
+ - match:
+ pathSeparatedPrefix: /foo
+ name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
+ route:
+ cluster: httproute/default/httproute-1/rule/0
+ upgradeConfigs:
+ - upgradeType: websocket
+ - match:
+ pathSeparatedPrefix: /bar
+ name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io
+ route:
+ cluster: httproute/default/httproute-2/rule/0
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml
new file mode 100755
index 00000000000..7a7e90de25b
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml
@@ -0,0 +1,68 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: first-route-dest
+ lbPolicy: LEAST_REQUEST
+ name: first-route-dest
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: second-route-dest
+ lbPolicy: LEAST_REQUEST
+ name: second-route-dest
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: third-route-dest
+ lbPolicy: LEAST_REQUEST
+ name: third-route-dest
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig:
+ localityWeightedLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_ONLY
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: fourth-route-dest
+ lbPolicy: LEAST_REQUEST
+ name: fourth-route-dest
+ outlierDetection: {}
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.endpoints.yaml
new file mode 100755
index 00000000000..ad653a1de59
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.endpoints.yaml
@@ -0,0 +1,48 @@
+- clusterName: first-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 1.1.1.1
+ portValue: 8081
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: first-route-dest/backend/0
+- clusterName: second-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 2.2.2.2
+ portValue: 8082
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: second-route-dest/backend/0
+- clusterName: third-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 3.3.3.3
+ portValue: 8083
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: third-route-dest/backend/0
+- clusterName: fourth-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 4.4.4.4
+ portValue: 8084
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: fourth-route-dest/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml
new file mode 100644
index 00000000000..a987a9cd890
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml
@@ -0,0 +1,127 @@
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 8081
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ normalizePath: true
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: first-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: first-listener
+ perConnectionBufferLimitBytes: 32768
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 8082
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions: {}
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ normalizePath: true
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: second-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: second-listener
+ perConnectionBufferLimitBytes: 32768
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 8083
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ normalizePath: true
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: third-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: third-listener
+ perConnectionBufferLimitBytes: 32768
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 8084
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: DROP_HEADER
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ normalizePath: true
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: fourth-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http
+ useRemoteAddress: true
+ drainType: MODIFY_ONLY
+ name: fourth-listener
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.routes.yaml
new file mode 100755
index 00000000000..a0e9171307d
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.routes.yaml
@@ -0,0 +1,56 @@
+- ignorePortInHostMatching: true
+ name: first-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: first-listener/*
+ routes:
+ - match:
+ prefix: /
+ name: first-route
+ route:
+ cluster: first-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
+- ignorePortInHostMatching: true
+ name: second-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: second-listener/*
+ routes:
+ - match:
+ prefix: /
+ name: second-route
+ route:
+ cluster: second-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
+- ignorePortInHostMatching: true
+ name: third-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: third-listener/*
+ routes:
+ - match:
+ prefix: /
+ name: third-route
+ route:
+ cluster: third-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
+- ignorePortInHostMatching: true
+ name: fourth-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: fourth-listener/*
+ routes:
+ - match:
+ prefix: /
+ name: fourth-route
+ route:
+ cluster: fourth-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml
index 8c076fbdb87..b789b876c3c 100644
--- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml
@@ -18,6 +18,7 @@
start: "200"
- end: "301"
start: "300"
+ host: '*'
path: /healthz
receive:
- text: 6f6b
@@ -53,6 +54,7 @@
expectedStatuses:
- end: "202"
start: "200"
+ host: '*'
path: /healthz
receive:
- binary: cG9uZw==
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.routes.yaml
index 7cac95f1009..d2c46435ee3 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.routes.yaml
@@ -7,10 +7,26 @@
routes:
- match:
prefix: /
- name: redirect-route
+ name: redirect-route-1
redirect:
hostRedirect: redirected.com
portRedirect: 8443
prefixRewrite: /redirected
responseCode: FOUND
schemeRedirect: https
+ - match:
+ pathSeparatedPrefix: /redirect
+ name: redirect-route-2
+ redirect:
+ regexRewrite:
+ pattern:
+ regex: ^/redirect\/*
+ substitution: /
+ - match:
+ pathSeparatedPrefix: /redirect
+ name: redirect-route-3
+ redirect:
+ regexRewrite:
+ pattern:
+ regex: ^/redirect/\/*
+ substitution: /
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml
index 2bf01099ad2..d5a0bd98994 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml
@@ -18,3 +18,5 @@
pattern:
regex: ^/origin/\/*
substitution: /
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml
index f1f30bbbffc..f8b81712dae 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml
@@ -14,3 +14,5 @@
pattern:
regex: /.+
substitution: /rewrite
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml
index 7de20ab0305..680a67404ee 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml
@@ -17,3 +17,5 @@
cluster: rewrite-route-dest
hostRewriteLiteral: 3.3.3.3
prefixRewrite: /rewrite
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml
index a5f47ebab54..84bc70f04bd 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml
@@ -15,3 +15,5 @@
route:
cluster: rewrite-route-dest
prefixRewrite: /rewrite
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
index b0d639457de..adc74d53fd6 100644
--- a/internal/xds/translator/translator.go
+++ b/internal/xds/translator/translator.go
@@ -134,7 +134,7 @@ func (t *Translator) processHTTPListenerXdsTranslation(
var quicXDSListener *listenerv3.Listener
enabledHTTP3 := httpListener.HTTP3 != nil
if xdsListener == nil {
- xdsListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.TCPKeepalive, accessLog)
+ xdsListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.TCPKeepalive, httpListener.Connection, accessLog)
if enabledHTTP3 {
quicXDSListener = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog)
if err := tCtx.AddXdsResource(resourcev3.ListenerType, quicXDSListener); err != nil {
@@ -271,9 +271,7 @@ func (t *Translator) processHTTPListenerXdsTranslation(
// Check if an extension want to modify the route we just generated
// If no extension exists (or it doesn't subscribe to this hook) then this is a quick no-op.
if err = processExtensionPostRouteHook(xdsRoute, vHost, httpRoute, t.ExtensionManager); err != nil {
- if err != nil {
- errs = errors.Join(errs, err)
- }
+ errs = errors.Join(errs, err)
}
if enabledHTTP3 {
@@ -401,7 +399,7 @@ func processTCPListenerXdsTranslation(tCtx *types.ResourceVersionTable, tcpListe
// Search for an existing listener, if it does not exist, create one.
xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP)
if xdsListener == nil {
- xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.TCPKeepalive, accesslog)
+ xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog)
if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil {
// skip this listener if failed to add xds listener to the
errs = errors.Join(errs, err)
diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
index 19684ff492b..367e7741277 100644
--- a/internal/xds/translator/translator_test.go
+++ b/internal/xds/translator/translator_test.go
@@ -262,6 +262,9 @@ func TestTranslateXds(t *testing.T) {
{
name: "fault-injection",
},
+ {
+ name: "headers-with-underscores-action",
+ },
{
name: "tls-with-ciphers-versions-alpn",
},
@@ -292,6 +295,9 @@ func TestTranslateXds(t *testing.T) {
{
name: "client-timeout",
},
+ {
+ name: "client-buffer-limit",
+ },
{
name: "retry-partial-invalid",
},
@@ -301,6 +307,9 @@ func TestTranslateXds(t *testing.T) {
{
name: "listener-connection-limit",
},
+ {
+ name: "ext-proc",
+ },
}
for _, tc := range testCases {
diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go
index 64f946373b7..e3002d9a8a3 100644
--- a/internal/xds/translator/utils.go
+++ b/internal/xds/translator/utils.go
@@ -13,8 +13,13 @@ import (
"strconv"
"strings"
+ "github.com/envoyproxy/gateway/internal/ir"
+ "github.com/envoyproxy/gateway/internal/xds/types"
+
+ corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+
"google.golang.org/protobuf/types/known/anypb"
)
@@ -122,3 +127,37 @@ func hcmContainsFilter(mgr *hcmv3.HttpConnectionManager, filterName string) bool
}
return false
}
+
+func createExtServiceXDSCluster(rd *ir.RouteDestination, tCtx *types.ResourceVersionTable) error {
+ var (
+ endpointType EndpointType
+ tSocket *corev3.TransportSocket
+ err error
+ )
+
+ // Get the address type from the first setting.
+ // This is safe because no mixed address types in the settings.
+ addrTypeState := rd.Settings[0].AddressType
+ if addrTypeState != nil && *addrTypeState == ir.FQDN {
+ endpointType = EndpointTypeDNS
+ } else {
+ endpointType = EndpointTypeStatic
+ }
+
+ if rd.Settings[0].TLS != nil {
+ tSocket, err = processTLSSocket(rd.Settings[0].TLS, tCtx)
+ if err != nil {
+ return err
+ }
+ }
+
+ if err = addXdsCluster(tCtx, &xdsClusterArgs{
+ name: rd.Name,
+ settings: rd.Settings,
+ tSocket: tSocket,
+ endpointType: endpointType,
+ }); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+ return err
+ }
+ return nil
+}
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 5ee09c30dfa..08fa90a3004 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -44,7 +44,8 @@ _Appears in:_
-ActiveHealthCheck defines the active health check configuration. EG supports various types of active health checking including HTTP, TCP.
+ActiveHealthCheck defines the active health check configuration.
+EG supports various types of active health checking including HTTP, TCP.
_Appears in:_
- [HealthCheck](#healthcheck)
@@ -56,8 +57,8 @@ _Appears in:_
| `unhealthyThreshold` | _integer_ | false | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. |
| `healthyThreshold` | _integer_ | false | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. |
| `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. |
-| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker. It's required while the health checker type is HTTP. |
-| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker. It's required while the health checker type is TCP. |
+| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. |
+| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. |
#### ActiveHealthCheckPayload
@@ -111,14 +112,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | BaseInterval is the base interval between retries. |
-| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval |
+| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval |
#### BackendTrafficPolicy
-BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service.
+BackendTrafficPolicy allows the user to configure the behavior of the connection
+between the Envoy Proxy listener and the backend service.
_Appears in:_
- [BackendTrafficPolicyList](#backendtrafficpolicylist)
@@ -158,15 +160,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | targetRef is the name of the resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. |
-| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow. |
-| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints |
+| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | targetRef is the name of the resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway. |
+| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. |
+| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints |
| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection. Disabled by default. |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. |
-| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to inject delays and abort requests to mimic failure scenarios such as service failures and overloads |
-| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests. If not set, circuit breakers will be enabled with the default thresholds |
-| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. If not set, retry will be disabled. |
+| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads |
+| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
+| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. |
| `compression` | _[Compression](#compression) array_ | false | The compression config for the http streams. |
@@ -182,7 +184,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in htpasswd format, used to verify user credentials in the "Authorization" header.
This is an Opaque secret. The username-password pairs should be stored in the key ".htpasswd". As the key name indicates, the value needs to be the htpasswd format, for example: "user1:{SHA}hashed_user1_password". Right now, only SHA hash algorithm is supported. Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html for more details.
Note: The secret must be in the same namespace as the SecurityPolicy. |
+| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.
This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:{SHA}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.
Note: The secret must be in the same namespace as the SecurityPolicy. |
#### BootstrapType
@@ -212,7 +214,7 @@ _Appears in:_
| `allowHeaders` | _string array_ | true | AllowHeaders defines the headers that are allowed to be sent with requests. |
| `exposeHeaders` | _string array_ | true | ExposeHeaders defines the headers that can be exposed in the responses. |
| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | MaxAge defines how long the results of a preflight request can be cached. |
-| `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials like cookies, authentication headers, or TLS client certificates. |
+| `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. |
#### CircuitBreaker
@@ -230,7 +232,7 @@ _Appears in:_
| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. |
| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. |
| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. |
-| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. Default: unlimited. |
+| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. |
#### ClaimToHeader
@@ -245,7 +247,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `header` | _string_ | true | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
-| `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type (eg. "claim.nested.key", "sub"). The nested claim name must use dot "." to separate the JSON name path. |
+| `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. |
#### ClientIPDetectionSettings
@@ -260,7 +262,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. |
-| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | CustomHeader provides configuration for determining the client IP address for a request based on a trusted custom HTTP header. This uses the the custom_header original IP detection extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto for more details. |
+| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. |
#### ClientTimeout
@@ -281,7 +283,8 @@ _Appears in:_
-ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener.
+ClientTrafficPolicy allows the user to configure the behavior of the connection
+between the downstream client and Envoy Proxy listener.
_Appears in:_
- [ClientTrafficPolicyList](#clienttrafficpolicylist)
@@ -321,9 +324,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. TargetRef |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the downstream client connection. If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives. Disabled by default. |
-| `enableProxyProtocol` | _boolean_ | false | EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. |
+| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. |
+| `enableProxyProtocol` | _boolean_ | false | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. |
| `clientIPDetection` | _[ClientIPDetectionSettings](#clientipdetectionsettings)_ | false | ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. |
| `http3` | _[HTTP3Settings](#http3settings)_ | false | HTTP3 provides HTTP/3 configuration on the listener. |
| `tls` | _[TLSSettings](#tlssettings)_ | false | TLS settings configure TLS termination settings with the downstream client. |
@@ -338,21 +341,24 @@ _Appears in:_
-ClientValidationContext holds configuration that can be used to validate the client initiating the TLS connection to the Gateway. By default, no client specific configuration is validated.
+ClientValidationContext holds configuration that can be used to validate the client initiating the TLS connection
+to the Gateway.
+By default, no client specific configuration is validated.
_Appears in:_
- [TLSSettings](#tlssettings)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap or a Kubernetes Secret, with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. |
+| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. |
#### Compression
-Compression defines the config of enabling compression. This can help reduce the bandwidth at the expense of higher CPU.
+Compression defines the config of enabling compression.
+This can help reduce the bandwidth at the expense of higher CPU.
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
@@ -386,6 +392,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections |
+| `bufferLimit` | _[Quantity](#quantity)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. |
#### ConnectionLimit
@@ -399,15 +406,16 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `value` | _integer_ | true | Value of the maximum concurrent connections limit. When the limit is reached, incoming connections will be closed after the CloseDelay duration. Default: unlimited. |
-| `closeDelay` | _[Duration](#duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected once the limit value is reached. Default: none. |
+| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration.
Default: unlimited. |
+| `closeDelay` | _[Duration](#duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. |
#### ConsistentHash
-ConsistentHash defines the configuration related to the consistent hash load balancer policy
+ConsistentHash defines the configuration related to the consistent hash
+load balancer policy
_Appears in:_
- [LoadBalancer](#loadbalancer)
@@ -432,7 +440,10 @@ _Appears in:_
-CustomHeader provides configuration for determining the client IP address for a request based on a trusted custom HTTP header. This uses the the custom_header original IP detection extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto for more details.
+CustomHeader provides configuration for determining the client IP address for a request based on
+a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
@@ -440,7 +451,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `name` | _string_ | true | Name of the header containing the original downstream remote address, if present. |
-| `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection fails. If set to true, the listener will respond with 403 Forbidden when the client IP address cannot be determined. |
+| `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. |
#### CustomTag
@@ -455,9 +466,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[CustomTagType](#customtagtype)_ | true | Type defines the type of custom tag. |
-| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | Literal adds hard-coded value to each span. It's required when the type is "Literal". |
-| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | Environment adds value from environment variable to each span. It's required when the type is "Environment". |
-| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | RequestHeader adds value from request header to each span. It's required when the type is "RequestHeader". |
+| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | Literal adds hard-coded value to each span.
It's required when the type is "Literal". |
+| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | Environment adds value from environment variable to each span.
It's required when the type is "Environment". |
+| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". |
#### CustomTagType
@@ -530,8 +541,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. TargetRef |
-| `priority` | _integer_ | false | Priority of the EnvoyExtensionPolicy. If multiple EnvoyExtensionPolices are applied to the same TargetRef, extensions will execute in the ascending order of the priority i.e. int32.min has the highest priority and int32.max has the lowest priority. Defaults to 0. |
+| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef |
+| `wasm` | _[Wasm](#wasm) array_ | false | WASM is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. |
+| `extProc` | _[ExtProc](#extproc) array_ | true | ExtProc is an ordered list of external processing filters
that should added to the envoy filter chain |
#### EnvoyGateway
@@ -546,14 +558,14 @@ EnvoyGateway is the schema for the envoygateways API.
| --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyGateway`
-| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset, default configuration parameters will apply. |
-| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration. If unspecified, the Kubernetes provider is used with default configuration parameters. |
+| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
+| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. |
-| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities. If unspecified, the Admin is used with default configuration parameters. |
-| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities. If unspecified, the telemetry is used with default configuration. |
-| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service deployed by Envoy Gateway required to implement the Global Rate limiting functionality. The specific rate limit service used here is the reference implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit. This configuration is unneeded for "Local" rate limiting. |
+| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
+| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
+| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
-| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions implemented by Envoy Gateway |
+| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
#### EnvoyGatewayAdmin
@@ -599,8 +611,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider. This provider is used to specify the provider to be used to retrieve the resource configurations such as Gateway API resources |
-| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | true | Infrastructure defines the desired infrastructure provider. This provider is used to specify the provider to be used to provide an environment to deploy the out resources like the Envoy Proxy data plane. |
+| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources |
+| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | true | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane. |
#### EnvoyGatewayFileResourceProvider
@@ -614,7 +626,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration. Recursive sub directories are not currently supported. |
+| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive sub directories are not currently supported. |
#### EnvoyGatewayHostInfrastructureProvider
@@ -640,7 +652,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | Type is the type of infrastructure providers to use. Supported types are "Host". |
-| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | Host defines the configuration of the Host provider. Host provides runtime deployment of the data plane as a child process on the host environment. |
+| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. |
#### EnvoyGatewayKubernetesProvider
@@ -654,10 +666,11 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource. If unspecified, default settings for the managed Envoy ratelimit deployment resource are applied. |
+| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
-| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane should be deployed |
+| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
+| `leaderElection` | _[LeaderElection](#leaderelection)_ | false | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. |
#### EnvoyGatewayLogComponent
@@ -683,22 +696,23 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info". EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit. LogLevel options: debug/info/error/warn. |
+| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. |
#### EnvoyGatewayMetricSink
-EnvoyGatewayMetricSink defines control plane metric sinks where metrics are sent to.
+EnvoyGatewayMetricSink defines control plane
+metric sinks where metrics are sent to.
_Appears in:_
- [EnvoyGatewayMetrics](#envoygatewaymetrics)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type. EG control plane currently supports OpenTelemetry. |
-| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | OpenTelemetry defines the configuration for OpenTelemetry sink. It's required if the sink type is OpenTelemetry. |
+| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. |
+| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
#### EnvoyGatewayMetrics
@@ -759,8 +773,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes". |
-| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes provides runtime configuration via the Kubernetes API. |
-| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider allows you to define a specific resource provider and a infrastructure provider. |
+| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. |
+| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and a infrastructure
provider. |
#### EnvoyGatewayResourceProvider
@@ -775,7 +789,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | Type is the type of resource provider to use. Supported types are "File". |
-| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | File defines the configuration of the File provider. File provides runtime configuration defined by one or more files. |
+| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. |
#### EnvoyGatewaySpec
@@ -789,21 +803,22 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset, default configuration parameters will apply. |
-| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration. If unspecified, the Kubernetes provider is used with default configuration parameters. |
+| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
+| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. |
-| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities. If unspecified, the Admin is used with default configuration parameters. |
-| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities. If unspecified, the telemetry is used with default configuration. |
-| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service deployed by Envoy Gateway required to implement the Global Rate limiting functionality. The specific rate limit service used here is the reference implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit. This configuration is unneeded for "Local" rate limiting. |
+| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
+| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
+| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
-| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions implemented by Envoy Gateway |
+| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
#### EnvoyGatewayTelemetry
-EnvoyGatewayTelemetry defines telemetry configurations for envoy gateway control plane. Control plane will focus on metrics observability telemetry and tracing telemetry later.
+EnvoyGatewayTelemetry defines telemetry configurations for envoy gateway control plane.
+Control plane will focus on metrics observability telemetry and tracing telemetry later.
_Appears in:_
- [EnvoyGateway](#envoygateway)
@@ -818,7 +833,8 @@ _Appears in:_
-EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource using JSONPatch semantic
+EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource
+using JSONPatch semantic
_Appears in:_
- [EnvoyPatchPolicySpec](#envoypatchpolicyspec)
@@ -834,7 +850,8 @@ _Appears in:_
-EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API
+EnvoyPatchPolicy allows the user to modify the generated Envoy xDS
+resources by Envoy Gateway using this patch API
_Appears in:_
- [EnvoyPatchPolicyList](#envoypatchpolicylist)
@@ -874,10 +891,10 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | Type decides the type of patch. Valid EnvoyPatchType values are "JSONPatch". |
+| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". |
| `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | JSONPatch defines the JSONPatch configuration. |
-| `targetRef` | _[PolicyTargetReference](#policytargetreference)_ | true | TargetRef is the name of the Gateway API resource this policy is being attached to. By default attaching to Gateway is supported and when mergeGateways is enabled it should attach to GatewayClass. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway TargetRef |
-| `priority` | _integer_ | true | Priority of the EnvoyPatchPolicy. If multiple EnvoyPatchPolicies are applied to the same TargetRef, they will be applied in the ascending order of the priority i.e. int32.min has the highest priority and int32.max has the lowest priority. Defaults to 0. |
+| `targetRef` | _[PolicyTargetReference](#policytargetreference)_ | true | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef |
+| `priority` | _integer_ | true | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. |
#### EnvoyPatchType
@@ -911,16 +928,17 @@ EnvoyProxy is the schema for the envoyproxies API.
-EnvoyProxyKubernetesProvider defines configuration for the Kubernetes resource provider.
+EnvoyProxyKubernetesProvider defines configuration for the Kubernetes resource
+provider.
_Appears in:_
- [EnvoyProxyProvider](#envoyproxyprovider)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | EnvoyDeployment defines the desired state of the Envoy deployment resource. If unspecified, default settings for the managed Envoy deployment resource are applied. |
-| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | EnvoyService defines the desired state of the Envoy service resource. If unspecified, default settings for the managed Envoy service resource are applied. |
-| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment. Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. |
+| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. |
+| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. |
+| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. |
#### EnvoyProxyProvider
@@ -934,8 +952,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[ProviderType](#providertype)_ | true | Type is the type of resource provider to use. A resource provider provides infrastructure resources for running the data plane, e.g. Envoy proxy, and optional auxiliary control planes. Supported types are "Kubernetes". |
-| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | Kubernetes defines the desired state of the Kubernetes resource provider. Kubernetes provides infrastructure resources for running the data plane, e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings for managed Kubernetes resources are applied. |
+| `type` | _[ProviderType](#providertype)_ | true | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". |
+| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. |
#### EnvoyProxySpec
@@ -949,13 +967,13 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | Provider defines the desired resource provider and provider-specific configuration. If unspecified, the "Kubernetes" resource provider is used with default configuration parameters. |
+| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. |
| `logging` | _[ProxyLogging](#proxylogging)_ | true | Logging defines logging parameters for managed proxies. |
| `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | Telemetry defines telemetry parameters for managed proxies. |
-| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | Bootstrap defines the Envoy Bootstrap as a YAML string. Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap to learn more about the syntax. If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration set by Envoy Gateway. Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources from it are not configurable and will result in the `EnvoyProxy` resource being rejected. Backward compatibility across minor versions is not guaranteed. We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. |
-| `concurrency` | _integer_ | false | Concurrency defines the number of worker threads to run. If unset, it defaults to the number of cpuset threads on the platform. |
-| `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy. More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
-| `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure. Setting this field to true would merge all Gateway Listeners under the parent Gateway Class. This means that the port, protocol and hostname tuple must be unique for every listener. If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
+| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
to learn more about the syntax.
If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
set by Envoy Gateway.
Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
Backward compatibility across minor versions is not guaranteed.
We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. |
+| `concurrency` | _integer_ | false | Concurrency defines the number of worker threads to run. If unset, it defaults to
the number of cpuset threads on the platform. |
+| `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
+| `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. |
| `tls` | _[EnvoyTLSConfig](#envoytlsconfig)_ | false | TLS is the TLS configuration for the Envoy proxy to use when connecting to backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc. |
@@ -998,10 +1016,44 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service. Either GRPCService or HTTPService must be specified, and only one of them can be provided. |
-| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service. Either GRPCService or HTTPService must be specified, and only one of them can be provided. |
-| `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included in the request to the external authorization service. Note: If not specified, the default behavior for gRPC and HTTP external authorization services is different due to backward compatibility reasons. All headers will be included in the check request to a gRPC authorization server. Only the following headers will be included in the check request to an HTTP authorization server: Host, Method, Path, Content-Length, and Authorization. And these headers will always be included to the check request to an HTTP authorization server by default, no matter whether they are specified in HeadersToExtAuth or not. |
-| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. If FailOpen is set to true, the system allows the traffic to pass through. Otherwise, if it is set to false or not set (defaulting to false), the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach. This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
+| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
+| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
+| `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. |
+| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
+
+
+#### ExtProc
+
+
+
+ExtProc defines the configuration for External Processing filter.
+
+_Appears in:_
+- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `backendRef` | _[ExtProcBackendRef](#extprocbackendref)_ | true | Service defines the configuration of the external processing service |
+
+
+#### ExtProcBackendRef
+
+
+
+ExtProcService defines the gRPC External Processing service using the envoy grpc client
+The processing request and response messages are defined in
+https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ext_proc/v3/external_processor.proto
+
+_Appears in:_
+- [ExtProc](#extproc)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `group` | _[Group](#group)_ | false | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. |
+| `kind` | _[Kind](#kind)_ | false | Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName) |
+| `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. |
+| `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core |
+| `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. |
#### ExtensionAPISettings
@@ -1016,8 +1068,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to reconcile and implement the EnvoyPatchPolicy resources. |
-| `enableEnvoyExtensionPolicy` | _boolean_ | true | EnableEnvoyExtensionPolicy enables Envoy Gateway to reconcile and implement the EnvoyExtensionPolicy resources. |
+| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. |
#### ExtensionHooks
@@ -1038,7 +1089,8 @@ _Appears in:_
-ExtensionManager defines the configuration for registering an extension manager to the Envoy Gateway control plane.
+ExtensionManager defines the configuration for registering an extension manager to
+the Envoy Gateway control plane.
_Appears in:_
- [EnvoyGateway](#envoygateway)
@@ -1048,7 +1100,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | Resources defines the set of K8s resources the extension will handle. |
| `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | Hooks defines the set of hooks the extension supports |
-| `service` | _[ExtensionService](#extensionservice)_ | true | Service defines the configuration of the extension service that the Envoy Gateway Control Plane will call through extension hooks. |
+| `service` | _[ExtensionService](#extensionservice)_ | true | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. |
#### ExtensionService
@@ -1064,7 +1116,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `host` | _string_ | true | Host define the extension service hostname. |
| `port` | _integer_ | false | Port defines the port the extension service is exposed on. |
-| `tls` | _[ExtensionTLS](#extensiontls)_ | false | TLS defines TLS configuration for communication between Envoy Gateway and the extension service. |
+| `tls` | _[ExtensionTLS](#extensiontls)_ | false | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. |
#### ExtensionTLS
@@ -1078,14 +1130,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that contains a TLS certificate and private keys. These certificates are used to establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time. |
+| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time. |
#### FaultInjection
-FaultInjection defines the fault injection policy to be applied. This configuration can be used to inject delays and abort requests to mimic failure scenarios such as service failures and overloads
+FaultInjection defines the fault injection policy to be applied. This configuration can be used to
+inject delays and abort requests to mimic failure scenarios such as service failures and overloads
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
@@ -1145,14 +1198,16 @@ _Appears in:_
-GRPCExtAuthService defines the gRPC External Authorization service The authorization request message is defined in https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+GRPCExtAuthService defines the gRPC External Authorization service
+The authorization request message is defined in
+https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
_Appears in:_
- [ExtAuth](#extauth)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. Only service Kind is supported for now. |
+| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only service Kind is supported for now. |
#### Gateway
@@ -1167,7 +1222,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
+| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
#### GlobalRateLimit
@@ -1181,14 +1236,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its associated limit is applied in a mutually exclusive way. If a request matches multiple rules, each of their associated limits get applied, so a single request might increase the rate limit counters for multiple rules if selected. The rate limit service will return a logical OR of the individual rate limit decisions of all matching rules. For example, if a request matches two rules, one rate limited and one not, the final decision will be to rate limit the request. |
+| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. |
#### GroupVersionKind
-GroupVersionKind unambiguously identifies a Kind. It can be converted to k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind
+GroupVersionKind unambiguously identifies a Kind.
+It can be converted to k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind
_Appears in:_
- [ExtensionManager](#extensionmanager)
@@ -1204,7 +1260,9 @@ _Appears in:_
-GzipCompressor defines the config for the Gzip compressor. The default values can be found here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/compression/gzip/compressor/v3/gzip.proto#extension-envoy-compression-gzip-compressor
+GzipCompressor defines the config for the Gzip compressor.
+The default values can be found here:
+https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/compression/gzip/compressor/v3/gzip.proto#extension-envoy-compression-gzip-compressor
_Appears in:_
- [Compression](#compression)
@@ -1222,7 +1280,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header, then the hostname associated with the listener should be injected into the request. If this is not set and an HTTP/1.0 request arrives without a host, then it will be rejected. |
+| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. |
#### HTTP1Settings
@@ -1237,7 +1295,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `enableTrailers` | _boolean_ | false | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. |
-| `preserveHeaderCase` | _boolean_ | false | PreserveHeaderCase defines if Envoy should preserve the letter case of headers. By default, Envoy will lowercase all the headers. |
+| `preserveHeaderCase` | _boolean_ | false | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. |
| `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. |
@@ -1264,8 +1322,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `path` | _string_ | true | Path defines the HTTP path that will be requested during health checking. |
-| `method` | _string_ | false | Method defines the HTTP method used for health checking. Defaults to GET |
-| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | ExpectedStatuses defines a list of HTTP response statuses considered healthy. Defaults to 200 only |
+| `method` | _string_ | false | Method defines the HTTP method used for health checking.
Defaults to GET |
+| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only |
| `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | ExpectedResponse defines a list of HTTP expected responses to match. |
@@ -1280,7 +1338,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `requestReceivedTimeout` | _[Duration](#duration)_ | false | The duration envoy waits for the complete request reception. This timer starts upon request initiation and stops when either the last byte of the request is sent upstream or when the response begins. |
+| `requestReceivedTimeout` | _[Duration](#duration)_ | false | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. |
+| `idleTimeout` | _[Duration](#duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
#### HTTPExtAuthService
@@ -1294,9 +1353,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. Only service Kind is supported for now. |
-| `path` | _string_ | true | Path is the path of the HTTP External Authorization service. If path is specified, the authorization request will be sent to that path, or else the authorization request will be sent to the root path. |
-| `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added to the original client request before sending it to the backend server. Note that coexisting headers will be overridden. If not specified, no authorization response headers will be added to the original client request. |
+| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only service Kind is supported for now. |
+| `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. |
+| `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. |
#### HTTPStatus
@@ -1322,8 +1381,22 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `connectionIdleTimeout` | _[Duration](#duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. Default: 1 hour. |
-| `maxConnectionDuration` | _[Duration](#duration)_ | false | The maximum duration of an HTTP connection. Default: unlimited. |
+| `connectionIdleTimeout` | _[Duration](#duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
+| `maxConnectionDuration` | _[Duration](#duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. |
+
+
+#### HTTPWasmCodeSource
+
+
+
+HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
+
+_Appears in:_
+- [WasmCodeSource](#wasmcodesource)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `url` | _string_ | true | URL is the URL containing the wasm code. |
@@ -1332,7 +1405,8 @@ _Appears in:_
_Underlying type:_ _string_
-HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values are "Exact", "RegularExpression", and "Distinct".
+HeaderMatchType specifies the semantics of how HTTP header values should be compared.
+Valid HeaderMatchType values are "Exact", "RegularExpression", and "Distinct".
_Appears in:_
- [HeaderMatch](#headermatch)
@@ -1350,14 +1424,16 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `enableEnvoyHeaders` | _boolean_ | false | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests and responses. |
+| `enableEnvoyHeaders` | _boolean_ | false | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. |
+| `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. |
#### HealthCheck
-HealthCheck configuration to decide which endpoints are healthy and can be used for routing.
+HealthCheck configuration to decide which endpoints
+are healthy and can be used for routing.
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
@@ -1368,6 +1444,21 @@ _Appears in:_
| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration |
+#### ImageWasmCodeSource
+
+
+
+ImageWasmCodeSource defines the OCI image containing the wasm code.
+
+_Appears in:_
+- [WasmCodeSource](#wasmcodesource)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `url` | _string_ | true | URL is the URL of the OCI image. |
+| `pullSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | PullSecretRef is a reference to the secret containing the credentials to pull the image. |
+
+
#### InfrastructureProviderType
_Underlying type:_ _string_
@@ -1383,7 +1474,8 @@ _Appears in:_
-JSONPatchOperation defines the JSON Patch Operation as defined in https://datatracker.ietf.org/doc/html/rfc6902
+JSONPatchOperation defines the JSON Patch Operation as defined in
+https://datatracker.ietf.org/doc/html/rfc6902
_Appears in:_
- [EnvoyJSONPatchConfig](#envoyjsonpatchconfig)
@@ -1391,9 +1483,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform |
-| `path` | _string_ | true | Path is the location of the target document/field where the operation will be performed Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
-| `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid for move or copy operations Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
-| `value` | _[JSON](#json)_ | false | Value is the new value of the path location. The value is only used by the `add` and `replace` operations. |
+| `path` | _string_ | true | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
+| `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
+| `value` | _[JSON](#json)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. |
#### JSONPatchOperationType
@@ -1418,14 +1510,16 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type. When multiple JWT providers are specified, the JWT is considered valid if any of the providers successfully validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
+| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
#### JWTExtractor
-JWTExtractor defines a custom JWT token extraction from HTTP request. If specified, Envoy will extract the JWT token from the listed extractors (headers, cookies, or params) and validate each of them. If any value extracted is found to be an invalid JWT, a 401 error will be returned.
+JWTExtractor defines a custom JWT token extraction from HTTP request.
+If specified, Envoy will extract the JWT token from the listed extractors (headers, cookies, or params) and validate each of them.
+If any value extracted is found to be an invalid JWT, a 401 error will be returned.
_Appears in:_
- [JWTProvider](#jwtprovider)
@@ -1449,7 +1543,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `name` | _string_ | true | Name is the HTTP header name to retrieve the token |
-| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token. The format would be used by Envoy like "{ValuePrefix}". For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. |
+| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "{ValuePrefix}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. |
#### JWTProvider
@@ -1463,13 +1557,13 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines a unique name for the JWT provider. A name can have a variety of forms, including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
-| `issuer` | _string_ | false | Issuer is the principal that issued the JWT and takes the form of a URL or email address. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided, the JWT issuer is not checked. |
-| `audiences` | _string array_ | false | Audiences is a list of JWT audiences allowed access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences are not checked. |
-| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint. |
-| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported |
-| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision. This field must be enabled if the headers generated from the claim are used for route matching decisions. If the recomputation selects a new route, features targeting the new matched route will be applied. |
-| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request. If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema or access_token from query parameters. |
+| `name` | _string_ | true | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
+| `issuer` | _string_ | false | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. |
+| `audiences` | _string array_ | false | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. |
+| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
HTTP/HTTPS endpoint. |
+| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
For examples, following config:
The claim must be of type; string, int, double, bool. Array type claims are not supported |
+| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
+| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. |
#### KubernetesContainerSpec
@@ -1484,17 +1578,18 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#envvar-v1-core) array_ | false | List of environment variables to set in the container. |
-| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core)_ | false | Resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
-| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core)_ | false | SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core)_ | false | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core)_ | false | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| `image` | _string_ | false | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
-| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volumemount-v1-core) array_ | false | VolumeMounts are volumes to mount into the container's filesystem. Cannot be updated. |
+| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volumemount-v1-core) array_ | false | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. |
#### KubernetesDeployMode
-KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy data plane fleet.
+KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy
+data plane fleet.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
@@ -1518,24 +1613,27 @@ _Appears in:_
| `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#deploymentstrategy-v1-apps)_ | false | The deployment strategy to use to replace existing pods with new ones. |
| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. |
| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. |
-| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#container-v1-core) array_ | false | List of initialization containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
+| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#container-v1-core) array_ | false | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
#### KubernetesHorizontalPodAutoscalerSpec
-KubernetesHorizontalPodAutoscalerSpec defines Kubernetes Horizontal Pod Autoscaler settings of Envoy Proxy Deployment. When HPA is enabled, it is recommended that the value in `KubernetesDeploymentSpec.replicas` be removed, otherwise Envoy Gateway will revert back to this value every time reconciliation occurs. See k8s.io.autoscaling.v2.HorizontalPodAutoScalerSpec.
+KubernetesHorizontalPodAutoscalerSpec defines Kubernetes Horizontal Pod Autoscaler settings of Envoy Proxy Deployment.
+When HPA is enabled, it is recommended that the value in `KubernetesDeploymentSpec.replicas` be removed, otherwise
+Envoy Gateway will revert back to this value every time reconciliation occurs.
+See k8s.io.autoscaling.v2.HorizontalPodAutoScalerSpec.
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `minReplicas` | _integer_ | false | minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 replica. |
-| `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas. |
-| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). If left empty, it defaults to being based on CPU utilization with average on 80% usage. |
-| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used. See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. |
+| `minReplicas` | _integer_ | false | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. |
+| `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. |
+| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. |
+| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. |
#### KubernetesPatchSpec
@@ -1550,7 +1648,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[MergeType](#mergetype)_ | false | Type is the type of merge operation to perform
By default, StrategicMerge is used as the patch type. |
+| `type` | _[MergeType](#mergetype)_ | false | Type is the type of merge operation to perform
By default, StrategicMerge is used as the patch type. |
| `value` | _[JSON](#json)_ | true | Object contains the raw configuration for merged object |
@@ -1565,15 +1663,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `annotations` | _object (keys:string, values:string)_ | false | Annotations are the annotations that should be appended to the pods. By default, no pod annotations are appended. |
-| `labels` | _object (keys:string, values:string)_ | false | Labels are the additional labels that should be tagged to the pods. By default, no additional pod labels are tagged. |
-| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core)_ | false | SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field. |
+| `annotations` | _object (keys:string, values:string)_ | false | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. |
+| `labels` | _object (keys:string, values:string)_ | false | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. |
+| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core)_ | false | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. |
| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#affinity-v1-core)_ | false | If specified, the pod's scheduling constraints. |
| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#toleration-v1-core) array_ | false | If specified, the pod's tolerations. |
-| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volume-v1-core) array_ | false | Volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes |
-| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#localobjectreference-v1-core) array_ | false | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
-| `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
-| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed. |
+| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volume-v1-core) array_ | false | Volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes |
+| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#localobjectreference-v1-core) array_ | false | ImagePullSecrets is an optional list of references to secrets
in the same namespace to use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual puller implementations for them to use.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
+| `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
+| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. |
#### KubernetesServiceSpec
@@ -1587,12 +1685,12 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service. By default, no annotations are appended. |
-| `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer. Valid options are ClusterIP, LoadBalancer and NodePort. "LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it). "ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP. "NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. |
-| `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider implementation if more than one are available or is otherwise expected to be specified |
-| `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. |
-| `loadBalancerIP` | _string_ | false | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field may be ignored if the load balancer provider does not support this feature. This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud providers such as GCP. |
-| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
+| `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. |
+| `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. |
+| `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified |
+| `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. |
+| `loadBalancerIP` | _string_ | false | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
may be ignored if the load balancer provider does not support this feature.
This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
providers such as GCP. |
+| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the service |
@@ -1607,9 +1705,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and KubernetesWatchModeTypeNamespaceSelector are currently supported By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources from all namespaces. |
-| `namespaces` | _string array_ | true | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped resources such as Gateway, HTTPRoute and Service. Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. |
-| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)_ | true | NamespaceSelector holds the label selector used to dynamically select namespaces. Envoy Gateway will watch for namespaces matching the specified label selector. Precisely one of Namespaces and NamespaceSelector must be set. |
+| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. |
+| `namespaces` | _string array_ | true | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. |
+| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)_ | true | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. |
#### KubernetesWatchModeType
@@ -1623,6 +1721,23 @@ _Appears in:_
+#### LeaderElection
+
+
+
+LeaderElection defines the desired leader election settings.
+
+_Appears in:_
+- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `leaseDuration` | _[Duration](#duration)_ | true | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. |
+| `renewDeadline` | _[Duration](#duration)_ | true | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. |
+| `retryPeriod` | _[Duration](#duration)_ | true | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. |
+| `disable` | _boolean_ | true | Disable provides the option to turn off leader election, which is enabled by default. |
+
+
#### LiteralCustomTag
@@ -1648,9 +1763,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy. Valid LoadBalancerType values are "ConsistentHash", "LeastRequest", "Random", "RoundRobin", |
-| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is set to ConsistentHash |
-| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. Currently this is only supported for RoundRobin and LeastRequest load balancers |
+| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin", |
+| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash |
+| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers |
#### LoadBalancerType
@@ -1675,7 +1790,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches multiple rules, the strictest limit is applied. For example, if a request matches two rules, one with 10rps and one with 20rps, the final limit will be based on the rule with 10rps. |
+| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. |
#### LogLevel
@@ -1716,12 +1831,12 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `provider` | _[OIDCProvider](#oidcprovider)_ | true | The OIDC Provider configuration. |
-| `clientID` | _string_ | true | The client ID to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
-| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
This is an Opaque secret. The client secret should be stored in the key "client-secret". |
-| `scopes` | _string array_ | false | The OIDC scopes to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). The "openid" scope is always added to the list of scopes if not already specified. |
-| `resources` | _string array_ | false | The OIDC resources to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
-| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
-| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies. If not specified, uses a default logout path "/logout" |
+| `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
This is an Opaque secret. The client secret should be stored in the key
"client-secret". |
+| `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. |
+| `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
+| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" |
#### OIDCProvider
@@ -1735,33 +1850,46 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST be https, a host component, and optionally, port and path components and no query or fragment components. |
-| `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
-| `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
+| `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. |
+| `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
+| `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
#### OpenTelemetryEnvoyProxyAccessLog
-TODO: consider reuse ExtensionService?
+OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `host` | _string_ | true | Host define the extension service hostname. |
-| `port` | _integer_ | false | Port defines the port the extension service is exposed on. |
-| `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info. It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
+| `host` | _string_ | true | Host define the extension service hostname.
Deprecated: Use BackendRef instead. |
+| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRef instead. |
+| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the accesslog will be sent.
Only service Kind is supported for now. |
+| `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
#### Origin
_Underlying type:_ _string_
-Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single wildcard label such as "*.example.com". In addition to that a single wildcard (with or without scheme) can be configured to match any origin.
- For example, the following are valid origins: - https://foo.example.com - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 - https://*
+Origin is defined by the scheme (protocol), hostname (domain), and port of
+the URL used to access it. The hostname can be "precise" which is just the
+domain name or "wildcard" which is a domain name prefixed with a single
+wildcard label such as "*.example.com".
+In addition to that a single wildcard (with or without scheme) can be
+configured to match any origin.
+
+
+For example, the following are valid origins:
+- https://foo.example.com
+- https://*.example.com
+- http://foo.example.com:8080
+- http://*.example.com:8080
+- https://*
_Appears in:_
- [CORS](#cors)
@@ -1772,7 +1900,8 @@ _Appears in:_
-PassiveHealthCheck defines the configuration for passive health checks in the context of Envoy's Outlier Detection, see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier
+PassiveHealthCheck defines the configuration for passive health checks in the context of Envoy's Outlier Detection,
+see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier
_Appears in:_
- [HealthCheck](#healthcheck)
@@ -1781,7 +1910,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `splitExternalLocalOriginErrors` | _boolean_ | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. |
| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Interval defines the time between passive health checks. |
-| `consecutiveLocalOriginFailures` | _integer_ | false | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. Parameter takes effect only when split_external_local_origin_errors is set to true. |
+| `consecutiveLocalOriginFailures` | _integer_ | false | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. |
| `consecutiveGatewayErrors` | _integer_ | false | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. |
| `consecutive5XxErrors` | _integer_ | false | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. |
| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. |
@@ -1792,7 +1921,8 @@ _Appears in:_
_Underlying type:_ _string_
-PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c sequences in the URI path.
+PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c
+sequences in the URI path.
_Appears in:_
- [PathSettings](#pathsettings)
@@ -1810,8 +1940,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI should be handled. The default is UnescapeAndRedirect. |
-| `disableMergeSlashes` | _boolean_ | false | DisableMergeSlashes allows disabling the default configuration of merging adjacent slashes in the path. Note that slash merging is not part of the HTTP spec and is provided for convenience. |
+| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. |
+| `disableMergeSlashes` | _boolean_ | false | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. |
#### PerRetryPolicy
@@ -1826,7 +1956,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout is the timeout per retry attempt. |
-| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential back-off algorithm for retries. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
+| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
#### ProviderType
@@ -1853,14 +1983,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `disable` | _boolean_ | true | Disable disables access logging for managed proxies if set to true. |
-| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | Settings defines accesslog settings for managed proxies. If unspecified, will send default format to stdout. |
+| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. |
#### ProxyAccessLogFormat
-ProxyAccessLogFormat defines the format of accesslog. By default accesslogs are written to standard output.
+ProxyAccessLogFormat defines the format of accesslog.
+By default accesslogs are written to standard output.
_Appears in:_
- [ProxyAccessLogSetting](#proxyaccesslogsetting)
@@ -1868,8 +1999,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | Type defines the type of accesslog format. |
-| `text` | _string_ | false | Text defines the text accesslog format, following Envoy accesslog formatting, It's required when the format type is "Text". Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. |
-| `json` | _object (keys:string, values:string)_ | false | JSON is additional attributes that describe the specific event occurrence. Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) can be used as values for fields within the Struct. It's required when the format type is "JSON". |
+| `text` | _string_ | false | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. |
+| `json` | _object (keys:string, values:string)_ | false | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". |
#### ProxyAccessLogFormatType
@@ -1936,7 +2067,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace or Merge. If unspecified, it defaults to Replace. |
+| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace or Merge.
If unspecified, it defaults to Replace. |
| `value` | _string_ | true | Value is a YAML string of the bootstrap. |
@@ -1962,22 +2093,23 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key and the log level is the value. If unspecified, defaults to "default: warn". |
+| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". |
#### ProxyMetricSink
-ProxyMetricSink defines the sink of metrics. Default metrics sink is OpenTelemetry.
+ProxyMetricSink defines the sink of metrics.
+Default metrics sink is OpenTelemetry.
_Appears in:_
- [ProxyMetrics](#proxymetrics)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type. EG currently only supports OpenTelemetry. |
-| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | OpenTelemetry defines the configuration for OpenTelemetry sink. It's required if the sink type is OpenTelemetry. |
+| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG currently only supports OpenTelemetry. |
+| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
#### ProxyMetrics
@@ -1993,7 +2125,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. |
| `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. |
-| `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats may after critical functionality. Here are the stats that we strongly recommend not disabling: `cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`, `cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856, https://github.com/envoyproxy/envoy/issues/14610 |
+| `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 |
| `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. |
@@ -2001,15 +2133,16 @@ _Appears in:_
-
+ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink.
_Appears in:_
- [ProxyMetricSink](#proxymetricsink)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `host` | _string_ | true | Host define the service hostname. |
-| `port` | _integer_ | false | Port defines the port the service is exposed on. |
+| `host` | _string_ | true | Host define the service hostname.
Deprecated: Use BackendRef instead. |
+| `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRef instead. |
+| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the metric will be sent.
Only service Kind is supported for now. |
#### ProxyPrometheusProvider
@@ -2030,14 +2163,15 @@ _Appears in:_
-ProxyProtocol defines the configuration related to the proxy protocol when communicating with the backend.
+ProxyProtocol defines the configuration related to the proxy protocol
+when communicating with the backend.
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol Valid ProxyProtocolVersion values are "V1" "V2" |
+| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" |
#### ProxyProtocolVersion
@@ -2062,8 +2196,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | AccessLogs defines accesslog parameters for managed proxies. If unspecified, will send default format to stdout. |
-| `tracing` | _[ProxyTracing](#proxytracing)_ | false | Tracing defines tracing configuration for managed proxies. If unspecified, will not send tracing data. |
+| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. |
+| `tracing` | _[ProxyTracing](#proxytracing)_ | false | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. |
| `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | Metrics defines metrics configuration for managed proxies. |
@@ -2078,16 +2212,17 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
-| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | CustomTags defines the custom tags to add to each span. If provider is kubernetes, pod name and namespace are added by default. |
-| `provider` | _[TracingProvider](#tracingprovider)_ | true | Provider defines the tracing provider. Only OpenTelemetry is supported currently. |
+| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
+| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. |
+| `provider` | _[TracingProvider](#tracingprovider)_ | true | Provider defines the tracing provider.
Only OpenTelemetry is supported currently. |
#### RateLimit
-RateLimit defines the configuration associated with the Rate Limit Service used for Global Rate Limiting.
+RateLimit defines the configuration associated with the Rate Limit Service
+used for Global Rate Limiting.
_Appears in:_
- [EnvoyGateway](#envoygateway)
@@ -2095,9 +2230,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the database backend used by the rate limit service to store state associated with global ratelimiting. |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server If not set, timeout is 20ms. |
-| `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic when the response from the ratelimit server cannot be obtained. If FailClosed is false, let the traffic pass, otherwise, don't let the traffic pass and return 500. If not set, FailClosed is False. |
+| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. |
+| `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. |
| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. |
@@ -2105,14 +2240,15 @@ _Appears in:_
-RateLimitDatabaseBackend defines the configuration associated with the database backend used by the rate limit service.
+RateLimitDatabaseBackend defines the configuration associated with
+the database backend used by the rate limit service.
_Appears in:_
- [RateLimit](#ratelimit)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | Type is the type of database backend to use. Supported types are: * Redis: Connects to a Redis database. |
+| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. |
| `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | Redis defines the settings needed to connect to a Redis database. |
@@ -2120,7 +2256,8 @@ _Appears in:_
_Underlying type:_ _string_
-RateLimitDatabaseBackendType specifies the types of database backend to be used by the rate limit service.
+RateLimitDatabaseBackendType specifies the types of database backend
+to be used by the rate limit service.
_Appears in:_
- [RateLimitDatabaseBackend](#ratelimitdatabasebackend)
@@ -2174,7 +2311,8 @@ _Appears in:_
-RateLimitRule defines the semantics for matching attributes from the incoming requests, and setting limits for them.
+RateLimitRule defines the semantics for matching attributes
+from the incoming requests, and setting limits for them.
_Appears in:_
- [GlobalRateLimit](#globalratelimit)
@@ -2182,23 +2320,25 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | ClientSelectors holds the list of select conditions to select specific clients using attributes from the traffic flow. All individual select conditions must hold True for this rule and its limit to be applied.
If no client selectors are specified, the rule applies to all traffic of the targeted Route.
If the policy targets a Gateway, the rule applies to each Route of the Gateway. Please note that each Route has its own rate limit counters. For example, if a Gateway has two Routes, and the policy has a rule with limit 10rps, each Route will have its own 10rps limit. |
-| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | Limit holds the rate limit values. This limit is applied for traffic flows when the selectors compute to True, causing the request to be counted towards the limit. The limit is enforced and the request is ratelimited, i.e. a response with 429 HTTP status code is sent back to the client when the selected requests have reached the limit. |
+| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.
If no client selectors are specified, the rule applies to all traffic of
the targeted Route.
If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. |
+| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. |
#### RateLimitSelectCondition
-RateLimitSelectCondition specifies the attributes within the traffic flow that can be used to select a subset of clients to be ratelimited. All the individual conditions must hold True for the overall condition to hold True.
+RateLimitSelectCondition specifies the attributes within the traffic flow that can
+be used to select a subset of clients to be ratelimited.
+All the individual conditions must hold True for the overall condition to hold True.
_Appears in:_
- [RateLimitRule](#ratelimitrule)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `headers` | _[HeaderMatch](#headermatch) array_ | false | Headers is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers. At least one of headers or sourceCIDR condition must be specified. |
-| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | SourceCIDR is the client IP Address range to match on. At least one of headers or sourceCIDR condition must be specified. |
+| `headers` | _[HeaderMatch](#headermatch) array_ | false | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. |
+| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. |
#### RateLimitSpec
@@ -2212,7 +2352,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[RateLimitType](#ratelimittype)_ | true | Type decides the scope for the RateLimits. Valid RateLimitType values are "Global" or "Local". |
+| `type` | _[RateLimitType](#ratelimittype)_ | true | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". |
| `global` | _[GlobalRateLimit](#globalratelimit)_ | false | Global defines global rate limit configuration. |
| `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. |
@@ -2246,7 +2386,8 @@ _Appears in:_
_Underlying type:_ _string_
-RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
+RateLimitUnit specifies the intervals for setting rate limits.
+Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
_Appears in:_
- [RateLimitValue](#ratelimitvalue)
@@ -2279,21 +2420,22 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections. Currently only a Kubernetes Secret of type TLS is supported. |
+| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. |
#### RemoteJWKS
-RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
+RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
+HTTP/HTTPS endpoint.
_Appears in:_
- [JWTProvider](#jwtprovider)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate. |
+| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. |
#### RequestHeaderCustomTag
@@ -2334,7 +2476,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. |
-| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). |
+| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). |
| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. |
@@ -2350,14 +2492,15 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `triggers` | _[TriggerEnum](#triggerenum) array_ | false | Triggers specifies the retry trigger condition(Http/Grpc). |
-| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | HttpStatusCodes specifies the http status codes to be retried. The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
+| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
#### SecurityPolicy
-SecurityPolicy allows the user to configure various security settings for a Gateway.
+SecurityPolicy allows the user to configure various security settings for a
+Gateway.
_Appears in:_
- [SecurityPolicyList](#securitypolicylist)
@@ -2397,7 +2540,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. |
+| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway. |
| `cors` | _[CORS](#cors)_ | false | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). |
| `basicAuth` | _[BasicAuth](#basicauth)_ | false | BasicAuth defines the configuration for the HTTP Basic Authentication. |
| `jwt` | _[JWT](#jwt)_ | false | JWT defines the configuration for JSON Web Token (JWT) authentication. |
@@ -2411,7 +2554,9 @@ _Appears in:_
_Underlying type:_ _string_
-ServiceExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs.
+ServiceExternalTrafficPolicy describes how nodes distribute service traffic they
+receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
+and LoadBalancer IPs.
_Appears in:_
- [KubernetesServiceSpec](#kubernetesservicespec)
@@ -2440,8 +2585,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. If unspecified, defaults to 600 seconds. |
-| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. If unspecified, defaults to 5 seconds. |
+| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 600 seconds. |
+| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 5 seconds. |
#### SlowStart
@@ -2455,7 +2600,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host. During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig |
+| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig |
@@ -2475,7 +2620,9 @@ _Appears in:_
-StringMatch defines how to match any strings. This is a general purpose match condition that can be used by other EG APIs that need to match against a string.
+StringMatch defines how to match any strings.
+This is a general purpose match condition that can be used by other EG APIs
+that need to match against a string.
_Appears in:_
- [ProxyMetrics](#proxymetrics)
@@ -2490,7 +2637,8 @@ _Appears in:_
_Underlying type:_ _string_
-StringMatchType specifies the semantics of how a string value should be compared. Valid MatchType values are "Exact", "Prefix", "Suffix", "RegularExpression".
+StringMatchType specifies the semantics of how a string value should be compared.
+Valid MatchType values are "Exact", "Prefix", "Suffix", "RegularExpression".
_Appears in:_
- [StringMatch](#stringmatch)
@@ -2524,9 +2672,9 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding the connection is dead. Defaults to 9. |
-| `idleTime` | _[Duration](#duration)_ | false | The duration a connection needs to be idle before keep-alive probes start being sent. The duration format is Defaults to `7200s`. |
-| `interval` | _[Duration](#duration)_ | false | The duration between keep-alive probes. Defaults to `75s`. |
+| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. |
+| `idleTime` | _[Duration](#duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. |
+| `interval` | _[Duration](#duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. |
#### TCPTimeout
@@ -2540,7 +2688,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `connectTimeout` | _[Duration](#duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes. Default: 10 seconds. |
+| `connectTimeout` | _[Duration](#duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. |
#### TLSSettings
@@ -2554,13 +2702,13 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow. The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 In builds using BoringSSL FIPS the default cipher list is: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256 In builds using BoringSSL FIPS the default curve is: - P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener. By default h2 and http/1.1 are enabled. Supported values are: - http/1.0 - http/1.1 - h2 |
-| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | ClientValidation specifies the configuration to validate the client initiating the TLS connection to the Gateway listener. |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. |
#### TLSVersion
@@ -2593,16 +2741,17 @@ _Appears in:_
-
+TracingProvider defines the tracing provider configuration.
_Appears in:_
- [ProxyTracing](#proxytracing)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. EG currently only supports OpenTelemetry. |
-| `host` | _string_ | true | Host define the provider service hostname. |
-| `port` | _integer_ | false | Port defines the port the provider service is exposed on. |
+| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type.
EG currently only supports OpenTelemetry. |
+| `host` | _string_ | true | Host define the provider service hostname.
Deprecated: Use BackendRef instead. |
+| `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRef instead. |
+| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the accesslog will be sent.
Only service Kind is supported for now. |
#### TracingProviderType
@@ -2627,11 +2776,72 @@ _Appears in:_
+#### Wasm
+
+
+
+Wasm defines a wasm extension.
+
+
+Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
+v8 is used as the VM runtime for the Wasm extensions.
+
+_Appears in:_
+- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `name` | _string_ | true | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging. |
+| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the wasm code for the extension. |
+| `config` | _[JSON](#json)_ | true | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
+| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
+
+
+#### WasmCodeSource
+
+
+
+WasmCodeSource defines the source of the wasm code.
+
+_Appears in:_
+- [Wasm](#wasm)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | Type is the type of the source of the wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". |
+| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | HTTP is the HTTP URL containing the wasm code.
Note that the HTTP server must be accessible from the Envoy proxy. |
+| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | Image is the OCI image containing the wasm code.
Note that the image must be accessible from the Envoy Gateway. |
+
+
+#### WasmCodeSourceType
+
+_Underlying type:_ _string_
+
+WasmCodeSourceType specifies the types of sources for the wasm code.
+
+_Appears in:_
+- [WasmCodeSource](#wasmcodesource)
+
+
+
+#### WithUnderscoresAction
+
+_Underlying type:_ _string_
+
+WithUnderscoresAction configures the action to take when an HTTP header with underscores
+is encountered.
+
+_Appears in:_
+- [HeaderSettings](#headersettings)
+
+
+
#### XDSTranslatorHook
_Underlying type:_ _string_
-XDSTranslatorHook defines the types of hooks that an Envoy Gateway extension may support for the xds-translator
+XDSTranslatorHook defines the types of hooks that an Envoy Gateway extension may support
+for the xds-translator
_Appears in:_
- [XDSTranslatorHooks](#xdstranslatorhooks)
@@ -2664,6 +2874,6 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP headers to trust when determining the origin client's IP address. Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for for more details. |
+| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. |
diff --git a/site/content/en/latest/contributions/design/envoy-extension-policy.md b/site/content/en/latest/contributions/design/envoy-extension-policy.md
index fe6d3d895f2..ffd5c2751bb 100644
--- a/site/content/en/latest/contributions/design/envoy-extension-policy.md
+++ b/site/content/en/latest/contributions/design/envoy-extension-policy.md
@@ -127,7 +127,6 @@ Here is a list of features that can be included in this API
* Extensions that only support HTTP extensibility (Ext-Proc, LUA) can only be attached to HTTP/GRPC Routes.
* A user-defined extension that is added to the request processing flow can have a significant impact on security,
resilience and performance of the proxy. Gateway Operators can restrict access to the extensibility policy using K8s RBAC.
-* Extensibility will be disabled by default, and can be enabled using [Envoy Gateway][] API.
* Users may need to customize the order of extension and built-in filters. This will be addressed in a separate issue.
* Gateway operators may need to include multiple extensions (e.g. WASM modules developed by different teams and distributed separately).
This API will support attachment of multiple policies. Extension will execute in an order defined by the priority field.
@@ -159,7 +158,6 @@ Here is a list of features that can be included in this API
[Policy Attachment]: https://gateway-api.sigs.k8s.io/references/policy-attachment
[Gateway API]: https://gateway-api.sigs.k8s.io/
[Gateway API Route Filters]: https://gateway-api.sigs.k8s.io/api-types/httproute/#filters-optional
-[Envoy Gateway]: ../../api/extension_types#envoygateway
[Envoy Patch Policy]: ../../api/extension_types#envoypatchpolicy
[Envoy Extension Manager]: ./extending-envoy-gateway
[Alternatives]: #Alternatives
diff --git a/site/content/en/latest/user/operations/customize-envoyproxy.md b/site/content/en/latest/user/operations/customize-envoyproxy.md
index 65899d850d4..d06c41b423f 100644
--- a/site/content/en/latest/user/operations/customize-envoyproxy.md
+++ b/site/content/en/latest/user/operations/customize-envoyproxy.md
@@ -55,7 +55,7 @@ After you apply the config, you should see the replicas of envoyproxy changes to
And also you can dynamically change the value.
``` shell
-kubectl get deployment -l gateway.envoyproxy.io/owning-gateway-name=eg
+kubectl get deployment -l gateway.envoyproxy.io/owning-gateway-name=eg -n envoy-gateway-system
```
## Customize EnvoyProxy Image
diff --git a/site/content/en/latest/user/operations/egctl.md b/site/content/en/latest/user/operations/egctl.md
index 75855ad68d9..c8ee3a34a99 100644
--- a/site/content/en/latest/user/operations/egctl.md
+++ b/site/content/en/latest/user/operations/egctl.md
@@ -860,3 +860,48 @@ http://localhost:19000
```
the Envoy admin dashboard will automatically open in your default web browser. This eliminates the need to manually locate and expose the admin port.
+
+
+## egctl experimental install
+
+This subcommand can be used to install envoy-gateway.
+
+```bash
+egctl x install
+```
+
+By default, this will install both the envoy-gateway workload resource and the required gateway-api and envoy-gatewayCRDs.
+
+We can specify to install only workload resources via `--skip-crds`
+
+```bash
+egctl x install --skip-crds
+```
+
+We can specify to install only CRDs resources via `--only-crds`
+
+```bash
+egctl x install --only-crds
+```
+
+We can specify `--release-name` and `--namespace` to install envoy-gateway in different places to support multi-tenant mode.
+> Note: If CRDs are already installed, then we need to specify `--skip-crds` to avoid repeated installation of CRDs resources.
+
+```bash
+egctl x install --release-name shop-backend --namespace shop
+```
+
+
+## egctl experimental uninstall
+
+This subcommand can be used to uninstall envoy-gateway.
+
+```bash
+egctl x uninstall
+```
+
+By default, this will only uninstall the envoy-gateway workload resource, if we want to also uninstall CRDs, we need to specify `--with-crds`
+
+```bash
+egctl x uninstall --with-crds
+```
\ No newline at end of file
diff --git a/site/content/en/latest/user/security/private-key-provider.md b/site/content/en/latest/user/security/private-key-provider.md
new file mode 100644
index 00000000000..6882ebfe259
--- /dev/null
+++ b/site/content/en/latest/user/security/private-key-provider.md
@@ -0,0 +1,385 @@
+---
+title: "Accelerating TLS Handshakes using Private Key Provider in Envoy"
+---
+
+TLS operations can be accelerated or the private key can be protected using specialized hardware. This can be leveraged in Envoy using [Envoy Private Key Provider](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-privatekeyprovider) is added to Envoy.
+
+Today, there are two private key providers implemented in Envoy as contrib extensions:
+- [QAT in Envoy 1.24 release](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/private_key_providers/qat/v3alpha/qat.proto#extensions-private-key-providers-qat-v3alpha-qatprivatekeymethodconfig)
+- [CryptoMB in Envoy 1.20 release](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto )
+
+Both of them are used to accelerate the TLS handshake through the hardware capabilities.
+
+This guide will walk you through the steps required to configure TLS Termination mode for TCP traffic while also using the Envoy Private Key Provider to accelerate the TLS handshake by leveraging QAT and the HW accelerator available on Intel SPR/EMR Xeon server platforms.
+
+## Prerequisites
+
+### For QAT
+
+- Install Linux kernel 5.17 or similar
+- Ensure the node has QAT devices by checking the QAT physical function devices presented. [Supported Devices](https://intel.github.io/quickassist/qatlib/requirements.html#qat2-0-qatlib-supported-devices)
+
+ ```shell
+ echo `(lspci -d 8086:4940 && lspci -d 8086:4941 && lspci -d 8086:4942 && lspci -d 8086:4943 && lspci -d 8086:4946 && lspci -d 8086:4947) | wc -l` supported devices found.
+ ```
+
+- Enable IOMMU from BIOS
+- Enable IOMMU for Linux kernel
+
+ Figure out the QAT VF device id
+
+ ```shell
+ lspci -d 8086:4941 && lspci -d 8086:4943 && lspci -d 8086:4947
+ ```
+
+ Attach the QAT device to vfio-pci through kernel parameter by the device id gotten from previous command.
+
+ ```shell
+ cat /etc/default/grub:
+ GRUB_CMDLINE_LINUX="intel_iommu=on vfio-pci.ids=[QAT device id]"
+ update-grub
+ reboot
+ ````
+
+ Once the system is rebooted, check if the IOMMU has been enabled via the following command:
+
+ ```shell
+ dmesg| grep IOMMU
+ [ 1.528237] DMAR: IOMMU enabled
+ ```
+
+- Enable virtual function devices for QAT device
+
+ ```shell
+ modprobe vfio_pci
+ rmmod qat_4xxx
+ modprobe qat_4xxx
+ qat_device=$(lspci -D -d :[QAT device id] | awk '{print $1}')
+ for i in $qat_device; do echo 16|sudo tee /sys/bus/pci/devices/$i/sriov_numvfs; done
+ chmod a+rw /dev/vfio/*
+ ```
+
+- Increase the container runtime memory lock limit (using the containerd as example here)
+
+ ```shell
+ mkdir /etc/systemd/system/containerd.service.d
+ cat <>/etc/systemd/system/containerd.service.d/memlock.conf
+ [Service]
+ LimitMEMLOCK=134217728
+ EOF
+ ```
+
+ Restart the container runtime (for containerd, CRIO has similar concept)
+
+ ```shell
+ systemctl daemon-reload
+ systemctl restart containerd
+ ```
+
+- Install [Intel® QAT Device Plugin for Kubernetes](https://github.com/intel/intel-device-plugins-for-kubernetes)
+
+ ```shell
+ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/qat_plugin?ref=main'
+ ```
+
+ Verification of the plugin deployment and detection of QAT hardware can be confirmed by examining the resource allocations on the nodes:
+
+ ```shell
+ kubectl get node -o yaml| grep qat.intel.com
+ ```
+
+### For CryptoMB:
+
+It required the node with 3rd generation Intel Xeon Scalable processor server processors, or later.
+- For kubernetes Cluster, if not all nodes that support Intel® AVX-512 in Kubernetes cluster, you need to add some labels to divide these two kinds of nodes manually or using [NFD](https://github.com/kubernetes-sigs/node-feature-discovery).
+
+ ```shell
+ kubectl apply -k https://github.com/kubernetes-sigs/node-feature-discovery/deployment/overlays/default?ref=v0.15.1
+ ```
+
+- Checking the available nodes with required cpu instructions:
+ - Check the node labels if using [NFD](https://github.com/kubernetes-sigs/node-feature-discovery):
+
+ ```shell
+ kubectl get nodes -l feature.node.kubernetes.io/cpu-cpuid.AVX512F,feature.node.kubernetes.io/cpu-cpuid.AVX512DQ,feature.node.kubernetes.io/cpu-cpuid.AVX512BW,feature.node.kubernetes.io/cpu-cpuid.AVX512VBMI2,feature.node.kubernetes.io/cpu-cpuid.AVX512IFMA
+ ```
+
+ - Check CPUIDS manually on the node if without using NFD:
+
+ ```shell
+ cat /proc/cpuinfo |grep avx512f|grep avx512dq|grep avx512bw|grep avx512_vbmi2|grep avx512ifma
+ ```
+
+## Installation
+
+* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway.
+
+* Lets enable the EnvoyPatchPolicy feature, which will allow us to directly configure the Private Key Provider Envoy Filter, since Envoy Gateway does not directly expose this functionality.
+
+ ```shell
+ cat <> /etc/hosts
+```
+
+Benchmark the gateway with fortio.
+
+```shell
+fortio load -c 10 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT}
+```
+
+### For QAT
+
+```shell
+cat < ./test/helm/default.yaml
\ No newline at end of file
+ helm template eg charts/gateway-helm --set deployment.envoyGateway.image.tag=latest > ./test/helm/default.yaml --namespace=envoy-gateway-system
diff --git a/tools/make/kube.mk b/tools/make/kube.mk
index a862d9db20a..b37a10d1f68 100644
--- a/tools/make/kube.mk
+++ b/tools/make/kube.mk
@@ -113,6 +113,7 @@ install-ratelimit:
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
kubectl rollout status --watch --timeout=5m -n envoy-gateway-system deployment/envoy-gateway
kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
+ tools/hack/deployment-exists.sh "app.kubernetes.io/name=envoy-ratelimit" "envoy-gateway-system"
kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available
.PHONY: run-e2e
diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod
index 01cc98e3279..4ec5c9b0189 100644
--- a/tools/src/buf/go.mod
+++ b/tools/src/buf/go.mod
@@ -1,6 +1,6 @@
module local
-go 1.19
+go 1.22
require github.com/bufbuild/buf v1.30.0
diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum
index e9bcbb456a3..837ed4830f5 100644
--- a/tools/src/buf/go.sum
+++ b/tools/src/buf/go.sum
@@ -30,12 +30,14 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -54,6 +56,7 @@ github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
+github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88=
github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
@@ -70,22 +73,26 @@ github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u1
github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
+github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84=
github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.19.0 h1:uIsMRBV7m/HDkDxE/nXMnv1q+lOOSPlQ/ywc5JbB8Ic=
github.com/google/go-containerregistry v0.19.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7 h1:y3N7Bm7Y9/CtpiVkw/ZWj6lSlDF3F74SfKwfTCer72Q=
github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -93,6 +100,7 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
github.com/jdx/go-netrc v1.0.0 h1:QbLMLyCZGj0NA8glAhxUpf1zDg6cxnWgMBbjq40W0gQ=
github.com/jdx/go-netrc v1.0.0/go.mod h1:Gh9eFQJnoTNIRHXl2j5bJXA1u84hQWJWgGh569zF3v8=
github.com/jhump/protoreflect v1.15.6 h1:WMYJbw2Wo+KOWwZFvgY0jMoVHM6i4XIvRs2RcBj5VmI=
+github.com/jhump/protoreflect v1.15.6/go.mod h1:jCHoyYQIJnaabEYnbGwyo9hUqfyUMTbJw/tAut5t97E=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -149,6 +157,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -160,11 +169,13 @@ go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k=
+go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY=
go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
@@ -172,6 +183,7 @@ go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7e
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
@@ -216,6 +228,7 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -231,12 +244,15 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240304212257-790db918fca8/go.
google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 h1:IR+hp6ypxjH24bkMfEJ0yHR21+gwPWdV+/IBrPQyn3k=
google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs=
google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk=
+google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
diff --git a/tools/src/controller-gen/go.mod b/tools/src/controller-gen/go.mod
index 3140d861c8b..8e0dc95e504 100644
--- a/tools/src/controller-gen/go.mod
+++ b/tools/src/controller-gen/go.mod
@@ -1,37 +1,37 @@
module local
-go 1.21
+go 1.22
-require sigs.k8s.io/controller-tools v0.13.0
+require sigs.k8s.io/controller-tools v0.14.0
require (
- github.com/fatih/color v1.15.0 // indirect
- github.com/go-logr/logr v1.2.4 // indirect
+ github.com/fatih/color v1.16.0 // indirect
+ github.com/go-logr/logr v1.3.0 // indirect
github.com/gobuffalo/flect v1.0.2 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
- github.com/mattn/go-isatty v0.0.17 // indirect
+ github.com/mattn/go-isatty v0.0.20 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
- github.com/spf13/cobra v1.7.0 // indirect
+ github.com/spf13/cobra v1.8.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
- golang.org/x/mod v0.12.0 // indirect
+ golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
- golang.org/x/tools v0.12.0 // indirect
+ golang.org/x/tools v0.16.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
- k8s.io/api v0.28.0 // indirect
- k8s.io/apiextensions-apiserver v0.28.0 // indirect
- k8s.io/apimachinery v0.28.0 // indirect
- k8s.io/klog/v2 v2.100.1 // indirect
- k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+ k8s.io/api v0.29.0 // indirect
+ k8s.io/apiextensions-apiserver v0.29.0 // indirect
+ k8s.io/apimachinery v0.29.0 // indirect
+ k8s.io/klog/v2 v2.110.1 // indirect
+ k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
- sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
- sigs.k8s.io/yaml v1.3.0 // indirect
+ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+ sigs.k8s.io/yaml v1.4.0 // indirect
)
diff --git a/tools/src/controller-gen/go.sum b/tools/src/controller-gen/go.sum
index 3443dfb00e1..c7762224299 100644
--- a/tools/src/controller-gen/go.sum
+++ b/tools/src/controller-gen/go.sum
@@ -1,20 +1,20 @@
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -31,8 +31,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -42,15 +42,15 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
-github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
+github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -60,8 +60,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -69,8 +69,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -80,12 +80,13 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -96,8 +97,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss=
-golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -115,21 +116,21 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM=
-k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY=
-k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E=
-k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE=
-k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
-k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
-k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
-k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI=
-sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA=
+k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A=
+k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA=
+k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
+k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
+k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o=
+k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis=
+k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
+k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A=
+sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/tools/src/crd-ref-docs/go.mod b/tools/src/crd-ref-docs/go.mod
index e2bd19cd67a..eb1f6e419eb 100644
--- a/tools/src/crd-ref-docs/go.mod
+++ b/tools/src/crd-ref-docs/go.mod
@@ -1,15 +1,15 @@
module local
-go 1.21
+go 1.22
-require github.com/elastic/crd-ref-docs v0.0.10
+require github.com/elastic/crd-ref-docs v0.0.11
require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/Masterminds/sprig v2.22.0+incompatible // indirect
- github.com/fatih/color v1.15.0 // indirect
- github.com/go-logr/logr v1.2.4 // indirect
+ github.com/fatih/color v1.16.0 // indirect
+ github.com/go-logr/logr v1.3.0 // indirect
github.com/gobuffalo/flect v1.0.2 // indirect
github.com/goccy/go-yaml v1.11.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
@@ -20,30 +20,30 @@ require (
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
- github.com/mattn/go-isatty v0.0.17 // indirect
+ github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
- github.com/spf13/cobra v1.7.0 // indirect
+ github.com/spf13/cobra v1.8.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.24.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
- golang.org/x/mod v0.12.0 // indirect
+ golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
- golang.org/x/tools v0.12.0 // indirect
+ golang.org/x/tools v0.16.1 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
- k8s.io/apiextensions-apiserver v0.28.0 // indirect
- k8s.io/apimachinery v0.28.0 // indirect
- k8s.io/klog/v2 v2.100.1 // indirect
- k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
- sigs.k8s.io/controller-tools v0.13.0 // indirect
+ k8s.io/apiextensions-apiserver v0.29.0 // indirect
+ k8s.io/apimachinery v0.29.0 // indirect
+ k8s.io/klog/v2 v2.110.1 // indirect
+ k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+ sigs.k8s.io/controller-tools v0.14.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
- sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)
diff --git a/tools/src/crd-ref-docs/go.sum b/tools/src/crd-ref-docs/go.sum
index f42d190d039..53559cc9ef3 100644
--- a/tools/src/crd-ref-docs/go.sum
+++ b/tools/src/crd-ref-docs/go.sum
@@ -6,19 +6,18 @@ github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZC
github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/elastic/crd-ref-docs v0.0.10 h1:FAc9oCxxY4+rMCLSLtTGrEaPyuxmp3LNlQ+dZfG9Ujc=
-github.com/elastic/crd-ref-docs v0.0.10/go.mod h1:zha4djxzWirfx+c4fl/Kmk9Rc7Fv7XBoOi9CL9kne+M=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/elastic/crd-ref-docs v0.0.11 h1:/wNYycaIOQSnWPDdteRnx3IqvTBTzieQ6PHJS+g6nO4=
+github.com/elastic/crd-ref-docs v0.0.11/go.mod h1:B4kHxcBLQ41TbGnUTjdliNmuG6Dv7MFrH2pmYTjN4IQ=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no=
@@ -31,8 +30,9 @@ github.com/goccy/go-yaml v1.11.0 h1:n7Z+zx8S9f9KgzG6KtQKf+kwqXZlLNR2F6018Dgau54=
github.com/goccy/go-yaml v1.11.0/go.mod h1:H+mJrWtjPTJAHvRbV09MCK9xYwODM+wRTVFFTWckfng=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -53,8 +53,8 @@ github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgx
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -68,15 +68,15 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
-github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
+github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -86,8 +86,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
@@ -105,8 +105,8 @@ golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -116,12 +116,13 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -132,8 +133,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss=
-golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -153,19 +154,19 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E=
-k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE=
-k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
-k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
-k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
-k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI=
-sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA=
+k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
+k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
+k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o=
+k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis=
+k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
+k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A=
+sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod
index 11dcbce25ca..73ad3b2baae 100644
--- a/tools/src/golangci-lint/go.mod
+++ b/tools/src/golangci-lint/go.mod
@@ -1,8 +1,8 @@
module local
-go 1.21
+go 1.22
-require github.com/golangci/golangci-lint v1.57.1
+require github.com/golangci/golangci-lint v1.57.2
require (
4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
@@ -36,7 +36,7 @@ require (
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/charithe/durationcheck v0.0.10 // indirect
github.com/chavacava/garif v0.1.0 // indirect
- github.com/ckaznocha/intrange v0.1.0 // indirect
+ github.com/ckaznocha/intrange v0.1.1 // indirect
github.com/curioswitch/go-reassign v0.2.0 // indirect
github.com/daixiang0/gci v0.12.3 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
@@ -77,18 +77,18 @@ require (
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hexops/gotextdiff v1.0.3 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
- github.com/jgautheron/goconst v1.7.0 // indirect
+ github.com/jgautheron/goconst v1.7.1 // indirect
github.com/jingyugao/rowserrcheck v1.1.1 // indirect
github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
github.com/jjti/go-spancheck v0.5.3 // indirect
github.com/julz/importas v0.1.0 // indirect
- github.com/karamaru-alpha/copyloopvar v1.0.8 // indirect
+ github.com/karamaru-alpha/copyloopvar v1.0.10 // indirect
github.com/kisielk/errcheck v1.7.0 // indirect
- github.com/kkHAIKE/contextcheck v1.1.4 // indirect
+ github.com/kkHAIKE/contextcheck v1.1.5 // indirect
github.com/kulti/thelper v0.6.3 // indirect
github.com/kunwardeep/paralleltest v1.0.10 // indirect
github.com/kyoh86/exportloopref v0.1.11 // indirect
- github.com/ldez/gomoddirectives v0.2.3 // indirect
+ github.com/ldez/gomoddirectives v0.2.4 // indirect
github.com/ldez/tagliatelle v0.5.0 // indirect
github.com/leonklingele/grouper v1.1.1 // indirect
github.com/lufeee/execinquery v1.2.1 // indirect
@@ -109,7 +109,7 @@ require (
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
github.com/nishanths/exhaustive v0.12.0 // indirect
github.com/nishanths/predeclared v0.2.2 // indirect
- github.com/nunnatsa/ginkgolinter v0.16.1 // indirect
+ github.com/nunnatsa/ginkgolinter v0.16.2 // indirect
github.com/olekukonko/tablewriter v0.0.5 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.2.0 // indirect
diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum
index d80f02e474f..74ce9606aa3 100644
--- a/tools/src/golangci-lint/go.sum
+++ b/tools/src/golangci-lint/go.sum
@@ -113,8 +113,8 @@ github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+U
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/ckaznocha/intrange v0.1.0 h1:ZiGBhvrdsKpoEfzh9CjBfDSZof6QB0ORY5tXasUtiew=
-github.com/ckaznocha/intrange v0.1.0/go.mod h1:Vwa9Ekex2BrEQMg6zlrWwbs/FtYw7eS5838Q7UjK7TQ=
+github.com/ckaznocha/intrange v0.1.1 h1:gHe4LfqCspWkh8KpJFs20fJz3XRHFBFUV9yI7Itu83Q=
+github.com/ckaznocha/intrange v0.1.1/go.mod h1:RWffCw/vKBwHeOEwWdCikAtY0q4gGt8VhJZEEA5n+RE=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -224,8 +224,8 @@ github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9
github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk=
github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g=
github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM=
-github.com/golangci/golangci-lint v1.57.1 h1:cqhpzkzjDwdN12rfMf1SUyyKyp88a1SltNqEYGS0nJw=
-github.com/golangci/golangci-lint v1.57.1/go.mod h1:zLcHhz3NHc88T5zV2j75lyc0zH3LdOPOybblYa4p0oI=
+github.com/golangci/golangci-lint v1.57.2 h1:NNhxfZyL5He1WWDrIvl1a4n5bvWZBcgAqBwlJAAgLTw=
+github.com/golangci/golangci-lint v1.57.2/go.mod h1:ApiG3S3Ca23QyfGp5BmsorTiVxJpr5jGiNS0BkdSidg=
github.com/golangci/misspell v0.4.1 h1:+y73iSicVy2PqyX7kmUefHusENlrP9YwuHZHPLGQj/g=
github.com/golangci/misspell v0.4.1/go.mod h1:9mAN1quEo3DlpbaIKKyEvRxK1pwqR9s/Sea1bJCtlNI=
github.com/golangci/plugin-module-register v0.1.1 h1:TCmesur25LnyJkpsVrupv1Cdzo+2f7zX0H6Jkw1Ol6c=
@@ -291,8 +291,8 @@ github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSo
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jgautheron/goconst v1.7.0 h1:cEqH+YBKLsECnRSd4F4TK5ri8t/aXtt/qoL0Ft252B0=
-github.com/jgautheron/goconst v1.7.0/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4=
+github.com/jgautheron/goconst v1.7.1 h1:VpdAG7Ca7yvvJk5n8dMwQhfEZJh95kl/Hl9S1OI5Jkk=
+github.com/jgautheron/goconst v1.7.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4=
github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjzq7gFzUs=
github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c=
github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af h1:KA9BjwUk7KlCh6S9EAGWBt1oExIUv9WyNCiRz5amv48=
@@ -310,13 +310,13 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
github.com/julz/importas v0.1.0 h1:F78HnrsjY3cR7j0etXy5+TU1Zuy7Xt08X/1aJnH5xXY=
github.com/julz/importas v0.1.0/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0=
-github.com/karamaru-alpha/copyloopvar v1.0.8 h1:gieLARwuByhEMxRwM3GRS/juJqFbLraftXIKDDNJ50Q=
-github.com/karamaru-alpha/copyloopvar v1.0.8/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k=
+github.com/karamaru-alpha/copyloopvar v1.0.10 h1:8HYDy6KQYqTmD7JuhZMWS1nwPru9889XI24ROd/+WXI=
+github.com/karamaru-alpha/copyloopvar v1.0.10/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k=
github.com/kisielk/errcheck v1.7.0 h1:+SbscKmWJ5mOK/bO1zS60F5I9WwZDWOfRsC4RwfwRV0=
github.com/kisielk/errcheck v1.7.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kkHAIKE/contextcheck v1.1.4 h1:B6zAaLhOEEcjvUgIYEqystmnFk1Oemn8bvJhbt0GMb8=
-github.com/kkHAIKE/contextcheck v1.1.4/go.mod h1:1+i/gWqokIa+dm31mqGLZhZJ7Uh44DJGZVmr6QRBNJg=
+github.com/kkHAIKE/contextcheck v1.1.5 h1:CdnJh63tcDe53vG+RebdpdXJTc9atMgGqdx8LXxiilg=
+github.com/kkHAIKE/contextcheck v1.1.5/go.mod h1:O930cpht4xb1YQpK+1+AgoM3mFsvxr7uyFptcnWTYUA=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@@ -333,8 +333,8 @@ github.com/kunwardeep/paralleltest v1.0.10 h1:wrodoaKYzS2mdNVnc4/w31YaXFtsc21PCT
github.com/kunwardeep/paralleltest v1.0.10/go.mod h1:2C7s65hONVqY7Q5Efj5aLzRCNLjw2h4eMc9EcypGjcY=
github.com/kyoh86/exportloopref v0.1.11 h1:1Z0bcmTypkL3Q4k+IDHMWTcnCliEZcaPiIe0/ymEyhQ=
github.com/kyoh86/exportloopref v0.1.11/go.mod h1:qkV4UF1zGl6EkF1ox8L5t9SwyeBAZ3qLMd6up458uqA=
-github.com/ldez/gomoddirectives v0.2.3 h1:y7MBaisZVDYmKvt9/l1mjNCiSA1BVn34U0ObUcJwlhA=
-github.com/ldez/gomoddirectives v0.2.3/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0=
+github.com/ldez/gomoddirectives v0.2.4 h1:j3YjBIjEBbqZ0NKtBNzr8rtMHTOrLPeiwTkfUJZ3alg=
+github.com/ldez/gomoddirectives v0.2.4/go.mod h1:oWu9i62VcQDYp9EQ0ONTfqLNh+mDLWWDO+SO0qSQw5g=
github.com/ldez/tagliatelle v0.5.0 h1:epgfuYt9v0CG3fms0pEgIMNPuFf/LpPIfjk4kyqSioo=
github.com/ldez/tagliatelle v0.5.0/go.mod h1:rj1HmWiL1MiKQuOONhd09iySTEkUuE/8+5jtPYz9xa4=
github.com/leonklingele/grouper v1.1.1 h1:suWXRU57D4/Enn6pXR0QVqqWWrnJ9Osrz+5rjt8ivzU=
@@ -385,8 +385,8 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK
github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs=
github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
-github.com/nunnatsa/ginkgolinter v0.16.1 h1:uDIPSxgVHZ7PgbJElRDGzymkXH+JaF7mjew+Thjnt6Q=
-github.com/nunnatsa/ginkgolinter v0.16.1/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
+github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbnVSxfHJk=
+github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
diff --git a/tools/src/helm-docs/go.mod b/tools/src/helm-docs/go.mod
index d58318f8e50..7febe31cc86 100644
--- a/tools/src/helm-docs/go.mod
+++ b/tools/src/helm-docs/go.mod
@@ -1,8 +1,8 @@
module github.com/envoyproxy/gateway/tools/src/helm-docs
-go 1.21
+go 1.22
-require github.com/norwoodj/helm-docs v1.12.0
+require github.com/norwoodj/helm-docs v1.13.0
require (
github.com/Masterminds/goutils v1.1.1 // indirect
diff --git a/tools/src/helm-docs/go.sum b/tools/src/helm-docs/go.sum
index ca28e665b02..fa82d4a7cfc 100644
--- a/tools/src/helm-docs/go.sum
+++ b/tools/src/helm-docs/go.sum
@@ -17,712 +17,64 @@ cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHOb
cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
-cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
-cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
-cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
-cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
-cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
-cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
-cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
-cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA=
-cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM=
-cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
-cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4=
-cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw=
-cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E=
-cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o=
-cloud.google.com/go/accesscontextmanager v1.4.0/go.mod h1:/Kjh7BBu/Gh83sv+K60vN9QE5NJcd80sU33vIe2IFPE=
-cloud.google.com/go/accesscontextmanager v1.6.0/go.mod h1:8XCvZWfYw3K/ji0iVnp+6pu7huxoQTLmxAbVjbloTtM=
-cloud.google.com/go/accesscontextmanager v1.7.0/go.mod h1:CEGLewx8dwa33aDAZQujl7Dx+uYhS0eay198wB/VumQ=
-cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw=
-cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY=
-cloud.google.com/go/aiplatform v1.27.0/go.mod h1:Bvxqtl40l0WImSb04d0hXFU7gDOiq9jQmorivIiWcKg=
-cloud.google.com/go/aiplatform v1.35.0/go.mod h1:7MFT/vCaOyZT/4IIFfxH4ErVg/4ku6lKv3w0+tFTgXQ=
-cloud.google.com/go/aiplatform v1.36.1/go.mod h1:WTm12vJRPARNvJ+v6P52RDHCNe4AhvjcIZ/9/RRHy/k=
-cloud.google.com/go/aiplatform v1.37.0/go.mod h1:IU2Cv29Lv9oCn/9LkFiiuKfwrRTq+QQMbW+hPCxJGZw=
-cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI=
-cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4=
-cloud.google.com/go/analytics v0.17.0/go.mod h1:WXFa3WSym4IZ+JiKmavYdJwGG/CvpqiqczmL59bTD9M=
-cloud.google.com/go/analytics v0.18.0/go.mod h1:ZkeHGQlcIPkw0R/GW+boWHhCOR43xz9RN/jn7WcqfIE=
-cloud.google.com/go/analytics v0.19.0/go.mod h1:k8liqf5/HCnOUkbawNtrWWc+UAzyDlW89doe8TtoDsE=
-cloud.google.com/go/apigateway v1.3.0/go.mod h1:89Z8Bhpmxu6AmUxuVRg/ECRGReEdiP3vQtk4Z1J9rJk=
-cloud.google.com/go/apigateway v1.4.0/go.mod h1:pHVY9MKGaH9PQ3pJ4YLzoj6U5FUDeDFBllIz7WmzJoc=
-cloud.google.com/go/apigateway v1.5.0/go.mod h1:GpnZR3Q4rR7LVu5951qfXPJCHquZt02jf7xQx7kpqN8=
-cloud.google.com/go/apigeeconnect v1.3.0/go.mod h1:G/AwXFAKo0gIXkPTVfZDd2qA1TxBXJ3MgMRBQkIi9jc=
-cloud.google.com/go/apigeeconnect v1.4.0/go.mod h1:kV4NwOKqjvt2JYR0AoIWo2QGfoRtn/pkS3QlHp0Ni04=
-cloud.google.com/go/apigeeconnect v1.5.0/go.mod h1:KFaCqvBRU6idyhSNyn3vlHXc8VMDJdRmwDF6JyFRqZ8=
-cloud.google.com/go/apigeeregistry v0.4.0/go.mod h1:EUG4PGcsZvxOXAdyEghIdXwAEi/4MEaoqLMLDMIwKXY=
-cloud.google.com/go/apigeeregistry v0.5.0/go.mod h1:YR5+s0BVNZfVOUkMa5pAR2xGd0A473vA5M7j247o1wM=
-cloud.google.com/go/apigeeregistry v0.6.0/go.mod h1:BFNzW7yQVLZ3yj0TKcwzb8n25CFBri51GVGOEUcgQsc=
-cloud.google.com/go/apikeys v0.4.0/go.mod h1:XATS/yqZbaBK0HOssf+ALHp8jAlNHUgyfprvNcBIszU=
-cloud.google.com/go/apikeys v0.5.0/go.mod h1:5aQfwY4D+ewMMWScd3hm2en3hCj+BROlyrt3ytS7KLI=
-cloud.google.com/go/apikeys v0.6.0/go.mod h1:kbpXu5upyiAlGkKrJgQl8A0rKNNJ7dQ377pdroRSSi8=
-cloud.google.com/go/appengine v1.4.0/go.mod h1:CS2NhuBuDXM9f+qscZ6V86m1MIIqPj3WC/UoEuR1Sno=
-cloud.google.com/go/appengine v1.5.0/go.mod h1:TfasSozdkFI0zeoxW3PTBLiNqRmzraodCWatWI9Dmak=
-cloud.google.com/go/appengine v1.6.0/go.mod h1:hg6i0J/BD2cKmDJbaFSYHFyZkgBEfQrDg/X0V5fJn84=
-cloud.google.com/go/appengine v1.7.0/go.mod h1:eZqpbHFCqRGa2aCdope7eC0SWLV1j0neb/QnMJVWx6A=
-cloud.google.com/go/appengine v1.7.1/go.mod h1:IHLToyb/3fKutRysUlFO0BPt5j7RiQ45nrzEJmKTo6E=
-cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4=
-cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0=
-cloud.google.com/go/area120 v0.7.0/go.mod h1:a3+8EUD1SX5RUcCs3MY5YasiO1z6yLiNLRiFrykbynY=
-cloud.google.com/go/area120 v0.7.1/go.mod h1:j84i4E1RboTWjKtZVWXPqvK5VHQFJRF2c1Nm69pWm9k=
-cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ=
-cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk=
-cloud.google.com/go/artifactregistry v1.8.0/go.mod h1:w3GQXkJX8hiKN0v+at4b0qotwijQbYUqF2GWkZzAhC0=
-cloud.google.com/go/artifactregistry v1.9.0/go.mod h1:2K2RqvA2CYvAeARHRkLDhMDJ3OXy26h3XW+3/Jh2uYc=
-cloud.google.com/go/artifactregistry v1.11.1/go.mod h1:lLYghw+Itq9SONbCa1YWBoWs1nOucMH0pwXN1rOBZFI=
-cloud.google.com/go/artifactregistry v1.11.2/go.mod h1:nLZns771ZGAwVLzTX/7Al6R9ehma4WUEhZGWV6CeQNQ=
-cloud.google.com/go/artifactregistry v1.12.0/go.mod h1:o6P3MIvtzTOnmvGagO9v/rOjjA0HmhJ+/6KAXrmYDCI=
-cloud.google.com/go/artifactregistry v1.13.0/go.mod h1:uy/LNfoOIivepGhooAUpL1i30Hgee3Cu0l4VTWHUC08=
-cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o=
-cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s=
-cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0=
-cloud.google.com/go/asset v1.9.0/go.mod h1:83MOE6jEJBMqFKadM9NLRcs80Gdw76qGuHn8m3h8oHQ=
-cloud.google.com/go/asset v1.10.0/go.mod h1:pLz7uokL80qKhzKr4xXGvBQXnzHn5evJAEAtZiIb0wY=
-cloud.google.com/go/asset v1.11.1/go.mod h1:fSwLhbRvC9p9CXQHJ3BgFeQNM4c9x10lqlrdEUYXlJo=
-cloud.google.com/go/asset v1.12.0/go.mod h1:h9/sFOa4eDIyKmH6QMpm4eUK3pDojWnUhTgJlk762Hg=
-cloud.google.com/go/asset v1.13.0/go.mod h1:WQAMyYek/b7NBpYq/K4KJWcRqzoalEsxz/t/dTk4THw=
-cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY=
-cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw=
-cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI=
-cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo=
-cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0=
-cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E=
-cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0=
-cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8=
-cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8=
-cloud.google.com/go/automl v1.8.0/go.mod h1:xWx7G/aPEe/NP+qzYXktoBSDfjO+vnKMGgsApGJJquM=
-cloud.google.com/go/automl v1.12.0/go.mod h1:tWDcHDp86aMIuHmyvjuKeeHEGq76lD7ZqfGLN6B0NuU=
-cloud.google.com/go/baremetalsolution v0.3.0/go.mod h1:XOrocE+pvK1xFfleEnShBlNAXf+j5blPPxrhjKgnIFc=
-cloud.google.com/go/baremetalsolution v0.4.0/go.mod h1:BymplhAadOO/eBa7KewQ0Ppg4A4Wplbn+PsFKRLo0uI=
-cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss=
-cloud.google.com/go/batch v0.3.0/go.mod h1:TR18ZoAekj1GuirsUsR1ZTKN3FC/4UDnScjT8NXImFE=
-cloud.google.com/go/batch v0.4.0/go.mod h1:WZkHnP43R/QCGQsZ+0JyG4i79ranE2u8xvjq/9+STPE=
-cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g=
-cloud.google.com/go/beyondcorp v0.2.0/go.mod h1:TB7Bd+EEtcw9PCPQhCJtJGjk/7TC6ckmnSFS+xwTfm4=
-cloud.google.com/go/beyondcorp v0.3.0/go.mod h1:E5U5lcrcXMsCuoDNyGrpyTm/hn7ne941Jz2vmksAxW8=
-cloud.google.com/go/beyondcorp v0.4.0/go.mod h1:3ApA0mbhHx6YImmuubf5pyW8srKnCEPON32/5hj+RmM=
-cloud.google.com/go/beyondcorp v0.5.0/go.mod h1:uFqj9X+dSfrheVp7ssLTaRHd2EHqSL4QZmH4e8WXGGU=
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA=
-cloud.google.com/go/bigquery v1.43.0/go.mod h1:ZMQcXHsl+xmU1z36G2jNGZmKp9zNY5BUua5wDgmNCfw=
-cloud.google.com/go/bigquery v1.44.0/go.mod h1:0Y33VqXTEsbamHJvJHdFmtqHvMIY28aK1+dFsvaChGc=
-cloud.google.com/go/bigquery v1.47.0/go.mod h1:sA9XOgy0A8vQK9+MWhEQTY6Tix87M/ZurWFIxmF9I/E=
-cloud.google.com/go/bigquery v1.48.0/go.mod h1:QAwSz+ipNgfL5jxiaK7weyOhzdoAy1zFm0Nf1fysJac=
-cloud.google.com/go/bigquery v1.49.0/go.mod h1:Sv8hMmTFFYBlt/ftw2uN6dFdQPzBlREY9yBh7Oy7/4Q=
-cloud.google.com/go/bigquery v1.50.0/go.mod h1:YrleYEh2pSEbgTBZYMJ5SuSr0ML3ypjRB1zgf7pvQLU=
-cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY=
-cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s=
-cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI=
-cloud.google.com/go/billing v1.7.0/go.mod h1:q457N3Hbj9lYwwRbnlD7vUpyjq6u5U1RAOArInEiD5Y=
-cloud.google.com/go/billing v1.12.0/go.mod h1:yKrZio/eu+okO/2McZEbch17O5CB5NpZhhXG6Z766ss=
-cloud.google.com/go/billing v1.13.0/go.mod h1:7kB2W9Xf98hP9Sr12KfECgfGclsH3CQR0R08tnRlRbc=
-cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM=
-cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI=
-cloud.google.com/go/binaryauthorization v1.3.0/go.mod h1:lRZbKgjDIIQvzYQS1p99A7/U1JqvqeZg0wiI5tp6tg0=
-cloud.google.com/go/binaryauthorization v1.4.0/go.mod h1:tsSPQrBd77VLplV70GUhBf/Zm3FsKmgSqgm4UmiDItk=
-cloud.google.com/go/binaryauthorization v1.5.0/go.mod h1:OSe4OU1nN/VswXKRBmciKpo9LulY41gch5c68htf3/Q=
-cloud.google.com/go/certificatemanager v1.3.0/go.mod h1:n6twGDvcUBFu9uBgt4eYvvf3sQ6My8jADcOVwHmzadg=
-cloud.google.com/go/certificatemanager v1.4.0/go.mod h1:vowpercVFyqs8ABSmrdV+GiFf2H/ch3KyudYQEMM590=
-cloud.google.com/go/certificatemanager v1.6.0/go.mod h1:3Hh64rCKjRAX8dXgRAyOcY5vQ/fE1sh8o+Mdd6KPgY8=
-cloud.google.com/go/channel v1.8.0/go.mod h1:W5SwCXDJsq/rg3tn3oG0LOxpAo6IMxNa09ngphpSlnk=
-cloud.google.com/go/channel v1.9.0/go.mod h1:jcu05W0my9Vx4mt3/rEHpfxc9eKi9XwsdDL8yBMbKUk=
-cloud.google.com/go/channel v1.11.0/go.mod h1:IdtI0uWGqhEeatSB62VOoJ8FSUhJ9/+iGkJVqp74CGE=
-cloud.google.com/go/channel v1.12.0/go.mod h1:VkxCGKASi4Cq7TbXxlaBezonAYpp1GCnKMY6tnMQnLU=
-cloud.google.com/go/cloudbuild v1.3.0/go.mod h1:WequR4ULxlqvMsjDEEEFnOG5ZSRSgWOywXYDb1vPE6U=
-cloud.google.com/go/cloudbuild v1.4.0/go.mod h1:5Qwa40LHiOXmz3386FrjrYM93rM/hdRr7b53sySrTqA=
-cloud.google.com/go/cloudbuild v1.6.0/go.mod h1:UIbc/w9QCbH12xX+ezUsgblrWv+Cv4Tw83GiSMHOn9M=
-cloud.google.com/go/cloudbuild v1.7.0/go.mod h1:zb5tWh2XI6lR9zQmsm1VRA+7OCuve5d8S+zJUul8KTg=
-cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb4wQGAbIgL1s=
-cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM=
-cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk=
-cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA=
-cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY=
-cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI=
-cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4=
-cloud.google.com/go/cloudtasks v1.8.0/go.mod h1:gQXUIwCSOI4yPVK7DgTVFiiP0ZW/eQkydWzwVMdHxrI=
-cloud.google.com/go/cloudtasks v1.9.0/go.mod h1:w+EyLsVkLWHcOaqNEyvcKAsWp9p29dL6uL9Nst1cI7Y=
-cloud.google.com/go/cloudtasks v1.10.0/go.mod h1:NDSoTLkZ3+vExFEWu2UJV1arUyzVDAiZtdWcsUyNwBs=
-cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
-cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
-cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
-cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
-cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
-cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
-cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
-cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
-cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
-cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE=
-cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvjxega5vAdo=
-cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA=
-cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs=
-cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU=
-cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU=
-cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY=
-cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck=
-cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w=
-cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg=
-cloud.google.com/go/container v1.7.0/go.mod h1:Dp5AHtmothHGX3DwwIHPgq45Y8KmNsgN3amoYfxVkLo=
-cloud.google.com/go/container v1.13.1/go.mod h1:6wgbMPeQRw9rSnKBCAJXnds3Pzj03C4JHamr8asWKy4=
-cloud.google.com/go/container v1.14.0/go.mod h1:3AoJMPhHfLDxLvrlVWaK57IXzaPnLaZq63WX59aQBfM=
-cloud.google.com/go/container v1.15.0/go.mod h1:ft+9S0WGjAyjDggg5S06DXj+fHJICWg8L7isCQe9pQA=
-cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
-cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4=
-cloud.google.com/go/containeranalysis v0.7.0/go.mod h1:9aUL+/vZ55P2CXfuZjS4UjQ9AgXoSw8Ts6lemfmxBxI=
-cloud.google.com/go/containeranalysis v0.9.0/go.mod h1:orbOANbwk5Ejoom+s+DUCTTJ7IBdBQJDcSylAx/on9s=
-cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0=
-cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs=
-cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc=
-cloud.google.com/go/datacatalog v1.7.0/go.mod h1:9mEl4AuDYWw81UGc41HonIHH7/sn52H0/tc8f8ZbZIE=
-cloud.google.com/go/datacatalog v1.8.0/go.mod h1:KYuoVOv9BM8EYz/4eMFxrr4DUKhGIOXxZoKYF5wdISM=
-cloud.google.com/go/datacatalog v1.8.1/go.mod h1:RJ58z4rMp3gvETA465Vg+ag8BGgBdnRPEMMSTr5Uv+M=
-cloud.google.com/go/datacatalog v1.12.0/go.mod h1:CWae8rFkfp6LzLumKOnmVh4+Zle4A3NXLzVJ1d1mRm0=
-cloud.google.com/go/datacatalog v1.13.0/go.mod h1:E4Rj9a5ZtAxcQJlEBTLgMTphfP11/lNaAshpoBgemX8=
-cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM=
-cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ=
-cloud.google.com/go/dataflow v0.8.0/go.mod h1:Rcf5YgTKPtQyYz8bLYhFoIV/vP39eL7fWNcSOyFfLJE=
-cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo=
-cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE=
-cloud.google.com/go/dataform v0.5.0/go.mod h1:GFUYRe8IBa2hcomWplodVmUx/iTL0FrsauObOM3Ipr0=
-cloud.google.com/go/dataform v0.6.0/go.mod h1:QPflImQy33e29VuapFdf19oPbE4aYTJxr31OAPV+ulA=
-cloud.google.com/go/dataform v0.7.0/go.mod h1:7NulqnVozfHvWUBpMDfKMUESr+85aJsC/2O0o3jWPDE=
-cloud.google.com/go/datafusion v1.4.0/go.mod h1:1Zb6VN+W6ALo85cXnM1IKiPw+yQMKMhB9TsTSRDo/38=
-cloud.google.com/go/datafusion v1.5.0/go.mod h1:Kz+l1FGHB0J+4XF2fud96WMmRiq/wj8N9u007vyXZ2w=
-cloud.google.com/go/datafusion v1.6.0/go.mod h1:WBsMF8F1RhSXvVM8rCV3AeyWVxcC2xY6vith3iw3S+8=
-cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I=
-cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ=
-cloud.google.com/go/datalabeling v0.7.0/go.mod h1:WPQb1y08RJbmpM3ww0CSUAGweL0SxByuW2E+FU+wXcM=
-cloud.google.com/go/dataplex v1.3.0/go.mod h1:hQuRtDg+fCiFgC8j0zV222HvzFQdRd+SVX8gdmFcZzA=
-cloud.google.com/go/dataplex v1.4.0/go.mod h1:X51GfLXEMVJ6UN47ESVqvlsRplbLhcsAt0kZCCKsU0A=
-cloud.google.com/go/dataplex v1.5.2/go.mod h1:cVMgQHsmfRoI5KFYq4JtIBEUbYwc3c7tXmIDhRmNNVQ=
-cloud.google.com/go/dataplex v1.6.0/go.mod h1:bMsomC/aEJOSpHXdFKFGQ1b0TDPIeL28nJObeO1ppRs=
-cloud.google.com/go/dataproc v1.7.0/go.mod h1:CKAlMjII9H90RXaMpSxQ8EU6dQx6iAYNPcYPOkSbi8s=
-cloud.google.com/go/dataproc v1.8.0/go.mod h1:5OW+zNAH0pMpw14JVrPONsxMQYMBqJuzORhIBfBn9uI=
-cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4=
-cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo=
-cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA=
-cloud.google.com/go/dataqna v0.7.0/go.mod h1:Lx9OcIIeqCrw1a6KdO3/5KMP1wAmTc0slZWwP12Qq3c=
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/datastore v1.10.0/go.mod h1:PC5UzAmDEkAmkfaknstTYbNpgE49HAgW2J1gcgUfmdM=
-cloud.google.com/go/datastore v1.11.0/go.mod h1:TvGxBIHCS50u8jzG+AW/ppf87v1of8nwzFNgEZU1D3c=
-cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo=
-cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ=
-cloud.google.com/go/datastream v1.4.0/go.mod h1:h9dpzScPhDTs5noEMQVWP8Wx8AFBRyS0s8KWPx/9r0g=
-cloud.google.com/go/datastream v1.5.0/go.mod h1:6TZMMNPwjUqZHBKPQ1wwXpb0d5VDVPl2/XoS5yi88q4=
-cloud.google.com/go/datastream v1.6.0/go.mod h1:6LQSuswqLa7S4rPAOZFVjHIG3wJIjZcZrw8JDEDJuIs=
-cloud.google.com/go/datastream v1.7.0/go.mod h1:uxVRMm2elUSPuh65IbZpzJNMbuzkcvu5CjMqVIUHrww=
-cloud.google.com/go/deploy v1.4.0/go.mod h1:5Xghikd4VrmMLNaF6FiRFDlHb59VM59YoDQnOUdsH/c=
-cloud.google.com/go/deploy v1.5.0/go.mod h1:ffgdD0B89tToyW/U/D2eL0jN2+IEV/3EMuXHA0l4r+s=
-cloud.google.com/go/deploy v1.6.0/go.mod h1:f9PTHehG/DjCom3QH0cntOVRm93uGBDt2vKzAPwpXQI=
-cloud.google.com/go/deploy v1.8.0/go.mod h1:z3myEJnA/2wnB4sgjqdMfgxCA0EqC3RBTNcVPs93mtQ=
-cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4=
-cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0=
-cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8=
-cloud.google.com/go/dialogflow v1.18.0/go.mod h1:trO7Zu5YdyEuR+BhSNOqJezyFQ3aUzz0njv7sMx/iek=
-cloud.google.com/go/dialogflow v1.19.0/go.mod h1:JVmlG1TwykZDtxtTXujec4tQ+D8SBFMoosgy+6Gn0s0=
-cloud.google.com/go/dialogflow v1.29.0/go.mod h1:b+2bzMe+k1s9V+F2jbJwpHPzrnIyHihAdRFMtn2WXuM=
-cloud.google.com/go/dialogflow v1.31.0/go.mod h1:cuoUccuL1Z+HADhyIA7dci3N5zUssgpBJmCzI6fNRB4=
-cloud.google.com/go/dialogflow v1.32.0/go.mod h1:jG9TRJl8CKrDhMEcvfcfFkkpp8ZhgPz3sBGmAUYJ2qE=
-cloud.google.com/go/dlp v1.6.0/go.mod h1:9eyB2xIhpU0sVwUixfBubDoRwP+GjeUoxxeueZmqvmM=
-cloud.google.com/go/dlp v1.7.0/go.mod h1:68ak9vCiMBjbasxeVD17hVPxDEck+ExiHavX8kiHG+Q=
-cloud.google.com/go/dlp v1.9.0/go.mod h1:qdgmqgTyReTz5/YNSSuueR8pl7hO0o9bQ39ZhtgkWp4=
-cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU=
-cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU=
-cloud.google.com/go/documentai v1.9.0/go.mod h1:FS5485S8R00U10GhgBC0aNGrJxBP8ZVpEeJ7PQDZd6k=
-cloud.google.com/go/documentai v1.10.0/go.mod h1:vod47hKQIPeCfN2QS/jULIvQTugbmdc0ZvxxfQY1bg4=
-cloud.google.com/go/documentai v1.16.0/go.mod h1:o0o0DLTEZ+YnJZ+J4wNfTxmDVyrkzFvttBXXtYRMHkM=
-cloud.google.com/go/documentai v1.18.0/go.mod h1:F6CK6iUH8J81FehpskRmhLq/3VlwQvb7TvwOceQ2tbs=
-cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y=
-cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg=
-cloud.google.com/go/domains v0.8.0/go.mod h1:M9i3MMDzGFXsydri9/vW+EWz9sWb4I6WyHqdlAk0idE=
-cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk=
-cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w=
-cloud.google.com/go/edgecontainer v0.3.0/go.mod h1:FLDpP4nykgwwIfcLt6zInhprzw0lEi2P1fjO6Ie0qbc=
-cloud.google.com/go/edgecontainer v1.0.0/go.mod h1:cttArqZpBB2q58W/upSG++ooo6EsblxDIolxa3jSjbY=
-cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU=
-cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI=
-cloud.google.com/go/essentialcontacts v1.4.0/go.mod h1:8tRldvHYsmnBCHdFpvU+GL75oWiBKl80BiqlFh9tp+8=
-cloud.google.com/go/essentialcontacts v1.5.0/go.mod h1:ay29Z4zODTuwliK7SnX8E86aUF2CTzdNtvv42niCX0M=
-cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc=
-cloud.google.com/go/eventarc v1.8.0/go.mod h1:imbzxkyAU4ubfsaKYdQg04WS1NvncblHEup4kvF+4gw=
-cloud.google.com/go/eventarc v1.10.0/go.mod h1:u3R35tmZ9HvswGRBnF48IlYgYeBcPUCjkr4BTdem2Kw=
-cloud.google.com/go/eventarc v1.11.0/go.mod h1:PyUjsUKPWoRBCHeOxZd/lbOOjahV41icXyUY5kSTvVY=
-cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w=
-cloud.google.com/go/filestore v1.4.0/go.mod h1:PaG5oDfo9r224f8OYXURtAsY+Fbyq/bLYoINEK8XQAI=
-cloud.google.com/go/filestore v1.5.0/go.mod h1:FqBXDWBp4YLHqRnVGveOkHDf8svj9r5+mUDLupOWEDs=
-cloud.google.com/go/filestore v1.6.0/go.mod h1:di5unNuss/qfZTw2U9nhFqo8/ZDSc466dre85Kydllg=
-cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE=
-cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk=
-cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg=
-cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY=
-cloud.google.com/go/functions v1.9.0/go.mod h1:Y+Dz8yGguzO3PpIjhLTbnqV1CWmgQ5UwtlpzoyquQ08=
-cloud.google.com/go/functions v1.10.0/go.mod h1:0D3hEOe3DbEvCXtYOZHQZmD+SzYsi1YbI7dGvHfldXw=
-cloud.google.com/go/functions v1.12.0/go.mod h1:AXWGrF3e2C/5ehvwYo/GH6O5s09tOPksiKhz+hH8WkA=
-cloud.google.com/go/functions v1.13.0/go.mod h1:EU4O007sQm6Ef/PwRsI8N2umygGqPBS/IZQKBQBcJ3c=
-cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM=
-cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA=
-cloud.google.com/go/gaming v1.7.0/go.mod h1:LrB8U7MHdGgFG851iHAfqUdLcKBdQ55hzXy9xBJz0+w=
-cloud.google.com/go/gaming v1.8.0/go.mod h1:xAqjS8b7jAVW0KFYeRUxngo9My3f33kFmua++Pi+ggM=
-cloud.google.com/go/gaming v1.9.0/go.mod h1:Fc7kEmCObylSWLO334NcO+O9QMDyz+TKC4v1D7X+Bc0=
-cloud.google.com/go/gkebackup v0.2.0/go.mod h1:XKvv/4LfG829/B8B7xRkk8zRrOEbKtEam6yNfuQNH60=
-cloud.google.com/go/gkebackup v0.3.0/go.mod h1:n/E671i1aOQvUxT541aTkCwExO/bTer2HDlj4TsBRAo=
-cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg=
-cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o=
-cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A=
-cloud.google.com/go/gkeconnect v0.7.0/go.mod h1:SNfmVqPkaEi3bF/B3CNZOAYPYdg7sU+obZ+QTky2Myw=
-cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0=
-cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0=
-cloud.google.com/go/gkehub v0.11.0/go.mod h1:JOWHlmN+GHyIbuWQPl47/C2RFhnFKH38jH9Ascu3n0E=
-cloud.google.com/go/gkehub v0.12.0/go.mod h1:djiIwwzTTBrF5NaXCGv3mf7klpEMcST17VBTVVDcuaw=
-cloud.google.com/go/gkemulticloud v0.3.0/go.mod h1:7orzy7O0S+5kq95e4Hpn7RysVA7dPs8W/GgfUtsPbrA=
-cloud.google.com/go/gkemulticloud v0.4.0/go.mod h1:E9gxVBnseLWCk24ch+P9+B2CoDFJZTyIgLKSalC7tuI=
-cloud.google.com/go/gkemulticloud v0.5.0/go.mod h1:W0JDkiyi3Tqh0TJr//y19wyb1yf8llHVto2Htf2Ja3Y=
-cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
-cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2rg9bN8SXOa0bgM=
-cloud.google.com/go/gsuiteaddons v1.4.0/go.mod h1:rZK5I8hht7u7HxFQcFei0+AtfS9uSushomRlg+3ua1o=
-cloud.google.com/go/gsuiteaddons v1.5.0/go.mod h1:TFCClYLd64Eaa12sFVmUyG62tk4mdIsI7pAnSXRkcFo=
-cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
-cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
-cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc=
-cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc=
-cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg=
-cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE=
-cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY=
-cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY=
-cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
-cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc=
-cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A=
-cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk=
-cloud.google.com/go/iap v1.7.0/go.mod h1:beqQx56T9O1G1yNPph+spKpNibDlYIiIixiqsQXxLIo=
-cloud.google.com/go/iap v1.7.1/go.mod h1:WapEwPc7ZxGt2jFGB/C/bm+hP0Y6NXzOYGjpPnmMS74=
-cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM=
-cloud.google.com/go/ids v1.2.0/go.mod h1:5WXvp4n25S0rA/mQWAg1YEEBBq6/s+7ml1RDCW1IrcY=
-cloud.google.com/go/ids v1.3.0/go.mod h1:JBdTYwANikFKaDP6LtW5JAi4gubs57SVNQjemdt6xV4=
-cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs=
-cloud.google.com/go/iot v1.4.0/go.mod h1:dIDxPOn0UvNDUMD8Ger7FIaTuvMkj+aGk94RPP0iV+g=
-cloud.google.com/go/iot v1.5.0/go.mod h1:mpz5259PDl3XJthEmh9+ap0affn/MqNSP4My77Qql9o=
-cloud.google.com/go/iot v1.6.0/go.mod h1:IqdAsmE2cTYYNO1Fvjfzo9po179rAtJeVGUvkLN3rLE=
-cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA=
-cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg=
-cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0=
-cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4jMAg=
-cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w=
-cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24=
-cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI=
-cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
-cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
-cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE=
-cloud.google.com/go/language v1.8.0/go.mod h1:qYPVHf7SPoNNiCL2Dr0FfEFNil1qi3pQEyygwpgVKB8=
-cloud.google.com/go/language v1.9.0/go.mod h1:Ns15WooPM5Ad/5no/0n81yUetis74g3zrbeJBE+ptUY=
-cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8=
-cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08=
-cloud.google.com/go/lifesciences v0.8.0/go.mod h1:lFxiEOMqII6XggGbOnKiyZ7IBwoIqA84ClvoezaA/bo=
-cloud.google.com/go/logging v1.6.1/go.mod h1:5ZO0mHHbvm8gEmeEUHrmDlTDSu5imF6MUP9OfilNXBw=
-cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
-cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE=
-cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc=
-cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
-cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE=
-cloud.google.com/go/managedidentities v1.4.0/go.mod h1:NWSBYbEMgqmbZsLIyKvxrYbtqOsxY1ZrGM+9RgDqInM=
-cloud.google.com/go/managedidentities v1.5.0/go.mod h1:+dWcZ0JlUmpuxpIDfyP5pP5y0bLdRwOS4Lp7gMni/LA=
-cloud.google.com/go/maps v0.1.0/go.mod h1:BQM97WGyfw9FWEmQMpZ5T6cpovXXSd1cGmFma94eubI=
-cloud.google.com/go/maps v0.6.0/go.mod h1:o6DAMMfb+aINHz/p/jbcY+mYeXBoZoxTfdSQ8VAJaCw=
-cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY=
-cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4=
-cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w=
-cloud.google.com/go/mediatranslation v0.7.0/go.mod h1:LCnB/gZr90ONOIQLgSXagp8XUW1ODs2UmUMvcgMfI2I=
-cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE=
-cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM=
-cloud.google.com/go/memcache v1.6.0/go.mod h1:XS5xB0eQZdHtTuTF9Hf8eJkKtR3pVRCcvJwtm68T3rA=
-cloud.google.com/go/memcache v1.7.0/go.mod h1:ywMKfjWhNtkQTxrWxCkCFkoPjLHPW6A7WOTVI8xy3LY=
-cloud.google.com/go/memcache v1.9.0/go.mod h1:8oEyzXCu+zo9RzlEaEjHl4KkgjlNDaXbCQeQWlzNFJM=
-cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY=
-cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s=
-cloud.google.com/go/metastore v1.7.0/go.mod h1:s45D0B4IlsINu87/AsWiEVYbLaIMeUSoxlKKDqBGFS8=
-cloud.google.com/go/metastore v1.8.0/go.mod h1:zHiMc4ZUpBiM7twCIFQmJ9JMEkDSyZS9U12uf7wHqSI=
-cloud.google.com/go/metastore v1.10.0/go.mod h1:fPEnH3g4JJAk+gMRnrAnoqyv2lpUCqJPWOodSaf45Eo=
-cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk=
-cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4=
-cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w=
-cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw=
-cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA=
-cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o=
-cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM=
-cloud.google.com/go/networkconnectivity v1.7.0/go.mod h1:RMuSbkdbPwNMQjB5HBWD5MpTBnNm39iAVpC3TmsExt8=
-cloud.google.com/go/networkconnectivity v1.10.0/go.mod h1:UP4O4sWXJG13AqrTdQCD9TnLGEbtNRqjuaaA7bNjF5E=
-cloud.google.com/go/networkconnectivity v1.11.0/go.mod h1:iWmDD4QF16VCDLXUqvyspJjIEtBR/4zq5hwnY2X3scM=
-cloud.google.com/go/networkmanagement v1.4.0/go.mod h1:Q9mdLLRn60AsOrPc8rs8iNV6OHXaGcDdsIQe1ohekq8=
-cloud.google.com/go/networkmanagement v1.5.0/go.mod h1:ZnOeZ/evzUdUsnvRt792H0uYEnHQEMaz+REhhzJRcf4=
-cloud.google.com/go/networkmanagement v1.6.0/go.mod h1:5pKPqyXjB/sgtvB5xqOemumoQNB7y95Q7S+4rjSOPYY=
-cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ=
-cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU=
-cloud.google.com/go/networksecurity v0.7.0/go.mod h1:mAnzoxx/8TBSyXEeESMy9OOYwo1v+gZ5eMRnsT5bC8k=
-cloud.google.com/go/networksecurity v0.8.0/go.mod h1:B78DkqsxFG5zRSVuwYFRZ9Xz8IcQ5iECsNrPn74hKHU=
-cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY=
-cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34=
-cloud.google.com/go/notebooks v1.4.0/go.mod h1:4QPMngcwmgb6uw7Po99B2xv5ufVoIQ7nOGDyL4P8AgA=
-cloud.google.com/go/notebooks v1.5.0/go.mod h1:q8mwhnP9aR8Hpfnrc5iN5IBhrXUy8S2vuYs+kBJ/gu0=
-cloud.google.com/go/notebooks v1.7.0/go.mod h1:PVlaDGfJgj1fl1S3dUwhFMXFgfYGhYQt2164xOMONmE=
-cloud.google.com/go/notebooks v1.8.0/go.mod h1:Lq6dYKOYOWUCTvw5t2q1gp1lAp0zxAxRycayS0iJcqQ=
-cloud.google.com/go/optimization v1.1.0/go.mod h1:5po+wfvX5AQlPznyVEZjGJTMr4+CAkJf2XSTQOOl9l4=
-cloud.google.com/go/optimization v1.2.0/go.mod h1:Lr7SOHdRDENsh+WXVmQhQTrzdu9ybg0NecjHidBq6xs=
-cloud.google.com/go/optimization v1.3.1/go.mod h1:IvUSefKiwd1a5p0RgHDbWCIbDFgKuEdB+fPPuP0IDLI=
-cloud.google.com/go/orchestration v1.3.0/go.mod h1:Sj5tq/JpWiB//X/q3Ngwdl5K7B7Y0KZ7bfv0wL6fqVA=
-cloud.google.com/go/orchestration v1.4.0/go.mod h1:6W5NLFWs2TlniBphAViZEVhrXRSMgUGDfW7vrWKvsBk=
-cloud.google.com/go/orchestration v1.6.0/go.mod h1:M62Bevp7pkxStDfFfTuCOaXgaaqRAga1yKyoMtEoWPQ=
-cloud.google.com/go/orgpolicy v1.4.0/go.mod h1:xrSLIV4RePWmP9P3tBl8S93lTmlAxjm06NSm2UTmKvE=
-cloud.google.com/go/orgpolicy v1.5.0/go.mod h1:hZEc5q3wzwXJaKrsx5+Ewg0u1LxJ51nNFlext7Tanwc=
-cloud.google.com/go/orgpolicy v1.10.0/go.mod h1:w1fo8b7rRqlXlIJbVhOMPrwVljyuW5mqssvBtU18ONc=
-cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs=
-cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg=
-cloud.google.com/go/osconfig v1.9.0/go.mod h1:Yx+IeIZJ3bdWmzbQU4fxNl8xsZ4amB+dygAwFPlvnNo=
-cloud.google.com/go/osconfig v1.10.0/go.mod h1:uMhCzqC5I8zfD9zDEAfvgVhDS8oIjySWh+l4WK6GnWw=
-cloud.google.com/go/osconfig v1.11.0/go.mod h1:aDICxrur2ogRd9zY5ytBLV89KEgT2MKB2L/n6x1ooPw=
-cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E=
-cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU=
-cloud.google.com/go/oslogin v1.6.0/go.mod h1:zOJ1O3+dTU8WPlGEkFSh7qeHPPSoxrcMbbK1Nm2iX70=
-cloud.google.com/go/oslogin v1.7.0/go.mod h1:e04SN0xO1UNJ1M5GP0vzVBFicIe4O53FOfcixIqTyXo=
-cloud.google.com/go/oslogin v1.9.0/go.mod h1:HNavntnH8nzrn8JCTT5fj18FuJLFJc4NaZJtBnQtKFs=
-cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0=
-cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA=
-cloud.google.com/go/phishingprotection v0.7.0/go.mod h1:8qJI4QKHoda/sb/7/YmMQ2omRLSLYSu9bU0EKCNI+Lk=
-cloud.google.com/go/policytroubleshooter v1.3.0/go.mod h1:qy0+VwANja+kKrjlQuOzmlvscn4RNsAc0e15GGqfMxg=
-cloud.google.com/go/policytroubleshooter v1.4.0/go.mod h1:DZT4BcRw3QoO8ota9xw/LKtPa8lKeCByYeKTIf/vxdE=
-cloud.google.com/go/policytroubleshooter v1.5.0/go.mod h1:Rz1WfV+1oIpPdN2VvvuboLVRsB1Hclg3CKQ53j9l8vw=
-cloud.google.com/go/policytroubleshooter v1.6.0/go.mod h1:zYqaPTsmfvpjm5ULxAyD/lINQxJ0DDsnWOP/GZ7xzBc=
-cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0=
-cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI=
-cloud.google.com/go/privatecatalog v0.7.0/go.mod h1:2s5ssIFO69F5csTXcwBP7NPFTZvps26xGzvQ2PQaBYg=
-cloud.google.com/go/privatecatalog v0.8.0/go.mod h1:nQ6pfaegeDAq/Q5lrfCQzQLhubPiZhSaNhIgfJlnIXs=
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/pubsub v1.26.0/go.mod h1:QgBH3U/jdJy/ftjPhTkyXNj543Tin1pRYcdcPRnFIRI=
-cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0=
-cloud.google.com/go/pubsub v1.28.0/go.mod h1:vuXFpwaVoIPQMGXqRyUQigu/AX1S3IWugR9xznmcXX8=
-cloud.google.com/go/pubsub v1.30.0/go.mod h1:qWi1OPS0B+b5L+Sg6Gmc9zD1Y+HaM0MdUr7LsupY1P4=
-cloud.google.com/go/pubsublite v1.5.0/go.mod h1:xapqNQ1CuLfGi23Yda/9l4bBCKz/wC3KIJ5gKcxveZg=
-cloud.google.com/go/pubsublite v1.6.0/go.mod h1:1eFCS0U11xlOuMFV/0iBqw3zP12kddMeCbj/F3FSj9k=
-cloud.google.com/go/pubsublite v1.7.0/go.mod h1:8hVMwRXfDfvGm3fahVbtDbiLePT3gpoiJYJY+vxWxVM=
-cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4=
-cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o=
-cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk=
-cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo=
-cloud.google.com/go/recaptchaenterprise/v2 v2.4.0/go.mod h1:Am3LHfOuBstrLrNCBrlI5sbwx9LBg3te2N6hGvHn2mE=
-cloud.google.com/go/recaptchaenterprise/v2 v2.5.0/go.mod h1:O8LzcHXN3rz0j+LBC91jrwI3R+1ZSZEWrfL7XHgNo9U=
-cloud.google.com/go/recaptchaenterprise/v2 v2.6.0/go.mod h1:RPauz9jeLtB3JVzg6nCbe12qNoaa8pXc4d/YukAmcnA=
-cloud.google.com/go/recaptchaenterprise/v2 v2.7.0/go.mod h1:19wVj/fs5RtYtynAPJdDTb69oW0vNHYDBTbB4NvMD9c=
-cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg=
-cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4=
-cloud.google.com/go/recommendationengine v0.7.0/go.mod h1:1reUcE3GIu6MeBz/h5xZJqNLuuVjNg1lmWMPyjatzac=
-cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg=
-cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c=
-cloud.google.com/go/recommender v1.7.0/go.mod h1:XLHs/W+T8olwlGOgfQenXBTbIseGclClff6lhFVe9Bs=
-cloud.google.com/go/recommender v1.8.0/go.mod h1:PkjXrTT05BFKwxaUxQmtIlrtj0kph108r02ZZQ5FE70=
-cloud.google.com/go/recommender v1.9.0/go.mod h1:PnSsnZY7q+VL1uax2JWkt/UegHssxjUVVCrX52CuEmQ=
-cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y=
-cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A=
-cloud.google.com/go/redis v1.9.0/go.mod h1:HMYQuajvb2D0LvMgZmLDZW8V5aOC/WxstZHiy4g8OiA=
-cloud.google.com/go/redis v1.10.0/go.mod h1:ThJf3mMBQtW18JzGgh41/Wld6vnDDc/F/F35UolRZPM=
-cloud.google.com/go/redis v1.11.0/go.mod h1:/X6eicana+BWcUda5PpwZC48o37SiFVTFSs0fWAJ7uQ=
-cloud.google.com/go/resourcemanager v1.3.0/go.mod h1:bAtrTjZQFJkiWTPDb1WBjzvc6/kifjj4QBYuKCCoqKA=
-cloud.google.com/go/resourcemanager v1.4.0/go.mod h1:MwxuzkumyTX7/a3n37gmsT3py7LIXwrShilPh3P1tR0=
-cloud.google.com/go/resourcemanager v1.5.0/go.mod h1:eQoXNAiAvCf5PXxWxXjhKQoTMaUSNrEfg+6qdf/wots=
-cloud.google.com/go/resourcemanager v1.6.0/go.mod h1:YcpXGRs8fDzcUl1Xw8uOVmI8JEadvhRIkoXXUNVYcVo=
-cloud.google.com/go/resourcemanager v1.7.0/go.mod h1:HlD3m6+bwhzj9XCouqmeiGuni95NTrExfhoSrkC/3EI=
-cloud.google.com/go/resourcesettings v1.3.0/go.mod h1:lzew8VfESA5DQ8gdlHwMrqZs1S9V87v3oCnKCWoOuQU=
-cloud.google.com/go/resourcesettings v1.4.0/go.mod h1:ldiH9IJpcrlC3VSuCGvjR5of/ezRrOxFtpJoJo5SmXg=
-cloud.google.com/go/resourcesettings v1.5.0/go.mod h1:+xJF7QSG6undsQDfsCJyqWXyBwUoJLhetkRMDRnIoXA=
-cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4=
-cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY=
-cloud.google.com/go/retail v1.10.0/go.mod h1:2gDk9HsL4HMS4oZwz6daui2/jmKvqShXKQuB2RZ+cCc=
-cloud.google.com/go/retail v1.11.0/go.mod h1:MBLk1NaWPmh6iVFSz9MeKG/Psyd7TAgm6y/9L2B4x9Y=
-cloud.google.com/go/retail v1.12.0/go.mod h1:UMkelN/0Z8XvKymXFbD4EhFJlYKRx1FGhQkVPU5kF14=
-cloud.google.com/go/run v0.2.0/go.mod h1:CNtKsTA1sDcnqqIFR3Pb5Tq0usWxJJvsWOCPldRU3Do=
-cloud.google.com/go/run v0.3.0/go.mod h1:TuyY1+taHxTjrD0ZFk2iAR+xyOXEA0ztb7U3UNA0zBo=
-cloud.google.com/go/run v0.8.0/go.mod h1:VniEnuBwqjigv0A7ONfQUaEItaiCRVujlMqerPPiktM=
-cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg=
-cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s=
-cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI=
-cloud.google.com/go/scheduler v1.6.0/go.mod h1:SgeKVM7MIwPn3BqtcBntpLyrIJftQISRrYB5ZtT+KOk=
-cloud.google.com/go/scheduler v1.7.0/go.mod h1:jyCiBqWW956uBjjPMMuX09n3x37mtyPJegEWKxRsn44=
-cloud.google.com/go/scheduler v1.8.0/go.mod h1:TCET+Y5Gp1YgHT8py4nlg2Sew8nUHMqcpousDgXJVQc=
-cloud.google.com/go/scheduler v1.9.0/go.mod h1:yexg5t+KSmqu+njTIh3b7oYPheFtBWGcbVUYF1GGMIc=
-cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA=
-cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4=
-cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4=
-cloud.google.com/go/secretmanager v1.10.0/go.mod h1:MfnrdvKMPNra9aZtQFvBcvRU54hbPD8/HayQdlUgJpU=
-cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4=
-cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0=
-cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU=
-cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q=
-cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA=
-cloud.google.com/go/security v1.12.0/go.mod h1:rV6EhrpbNHrrxqlvW0BWAIawFWq3X90SduMJdFwtLB8=
-cloud.google.com/go/security v1.13.0/go.mod h1:Q1Nvxl1PAgmeW0y3HTt54JYIvUdtcpYKVfIB8AOMZ+0=
-cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU=
-cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc=
-cloud.google.com/go/securitycenter v1.15.0/go.mod h1:PeKJ0t8MoFmmXLXWm41JidyzI3PJjd8sXWaVqg43WWk=
-cloud.google.com/go/securitycenter v1.16.0/go.mod h1:Q9GMaLQFUD+5ZTabrbujNWLtSLZIZF7SAR0wWECrjdk=
-cloud.google.com/go/securitycenter v1.18.1/go.mod h1:0/25gAzCM/9OL9vVx4ChPeM/+DlfGQJDwBy/UC8AKK0=
-cloud.google.com/go/securitycenter v1.19.0/go.mod h1:LVLmSg8ZkkyaNy4u7HCIshAngSQ8EcIRREP3xBnyfag=
-cloud.google.com/go/servicecontrol v1.4.0/go.mod h1:o0hUSJ1TXJAmi/7fLJAedOovnujSEvjKCAFNXPQ1RaU=
-cloud.google.com/go/servicecontrol v1.5.0/go.mod h1:qM0CnXHhyqKVuiZnGKrIurvVImCs8gmqWsDoqe9sU1s=
-cloud.google.com/go/servicecontrol v1.10.0/go.mod h1:pQvyvSRh7YzUF2efw7H87V92mxU8FnFDawMClGCNuAA=
-cloud.google.com/go/servicecontrol v1.11.0/go.mod h1:kFmTzYzTUIuZs0ycVqRHNaNhgR+UMUpw9n02l/pY+mc=
-cloud.google.com/go/servicecontrol v1.11.1/go.mod h1:aSnNNlwEFBY+PWGQ2DoM0JJ/QUXqV5/ZD9DOLB7SnUk=
-cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs=
-cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg=
-cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPjsRs1RlmJ4pqiNjVL4=
-cloud.google.com/go/servicedirectory v1.7.0/go.mod h1:5p/U5oyvgYGYejufvxhgwjL8UVXjkuw7q5XcG10wx1U=
-cloud.google.com/go/servicedirectory v1.8.0/go.mod h1:srXodfhY1GFIPvltunswqXpVxFPpZjf8nkKQT7XcXaY=
-cloud.google.com/go/servicedirectory v1.9.0/go.mod h1:29je5JjiygNYlmsGz8k6o+OZ8vd4f//bQLtvzkPPT/s=
-cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco=
-cloud.google.com/go/servicemanagement v1.5.0/go.mod h1:XGaCRe57kfqu4+lRxaFEAuqmjzF0r+gWHjWqKqBvKFo=
-cloud.google.com/go/servicemanagement v1.6.0/go.mod h1:aWns7EeeCOtGEX4OvZUWCCJONRZeFKiptqKf1D0l/Jc=
-cloud.google.com/go/servicemanagement v1.8.0/go.mod h1:MSS2TDlIEQD/fzsSGfCdJItQveu9NXnUniTrq/L8LK4=
-cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E=
-cloud.google.com/go/serviceusage v1.4.0/go.mod h1:SB4yxXSaYVuUBYUml6qklyONXNLt83U0Rb+CXyhjEeU=
-cloud.google.com/go/serviceusage v1.5.0/go.mod h1:w8U1JvqUqwJNPEOTQjrMHkw3IaIFLoLsPLvsE3xueec=
-cloud.google.com/go/serviceusage v1.6.0/go.mod h1:R5wwQcbOWsyuOfbP9tGdAnCAc6B9DRwPG1xtWMDeuPA=
-cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4=
-cloud.google.com/go/shell v1.4.0/go.mod h1:HDxPzZf3GkDdhExzD/gs8Grqk+dmYcEjGShZgYa9URw=
-cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+qE2f9A=
-cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos=
-cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk=
-cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M=
-cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM=
-cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ=
-cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0=
-cloud.google.com/go/speech v1.9.0/go.mod h1:xQ0jTcmnRFFM2RfX/U+rk6FQNUF6DQlydUSyoooSpco=
-cloud.google.com/go/speech v1.14.1/go.mod h1:gEosVRPJ9waG7zqqnsHpYTOoAS4KouMRLDFMekpJ0J0=
-cloud.google.com/go/speech v1.15.0/go.mod h1:y6oH7GhqCaZANH7+Oe0BhgIogsNInLlz542tg3VqeYI=
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
-cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
-cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
-cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
-cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
-cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w=
-cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I=
-cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4=
-cloud.google.com/go/storagetransfer v1.8.0/go.mod h1:JpegsHHU1eXg7lMHkvf+KE5XDJ7EQu0GwNJbbVGanEw=
-cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw=
-cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g=
-cloud.google.com/go/talent v1.3.0/go.mod h1:CmcxwJ/PKfRgd1pBjQgU6W3YBwiewmUzQYH5HHmSCmM=
-cloud.google.com/go/talent v1.4.0/go.mod h1:ezFtAgVuRf8jRsvyE6EwmbTK5LKciD4KVnHuDEFmOOA=
-cloud.google.com/go/talent v1.5.0/go.mod h1:G+ODMj9bsasAEJkQSzO2uHQWXHHXUomArjWQQYkqK6c=
-cloud.google.com/go/texttospeech v1.4.0/go.mod h1:FX8HQHA6sEpJ7rCMSfXuzBcysDAuWusNNNvN9FELDd8=
-cloud.google.com/go/texttospeech v1.5.0/go.mod h1:oKPLhR4n4ZdQqWKURdwxMy0uiTS1xU161C8W57Wkea4=
-cloud.google.com/go/texttospeech v1.6.0/go.mod h1:YmwmFT8pj1aBblQOI3TfKmwibnsfvhIBzPXcW4EBovc=
-cloud.google.com/go/tpu v1.3.0/go.mod h1:aJIManG0o20tfDQlRIej44FcwGGl/cD0oiRyMKG19IQ=
-cloud.google.com/go/tpu v1.4.0/go.mod h1:mjZaX8p0VBgllCzF6wcU2ovUXN9TONFLd7iz227X2Xg=
-cloud.google.com/go/tpu v1.5.0/go.mod h1:8zVo1rYDFuW2l4yZVY0R0fb/v44xLh3llq7RuV61fPM=
-cloud.google.com/go/trace v1.3.0/go.mod h1:FFUE83d9Ca57C+K8rDl/Ih8LwOzWIV1krKgxg6N0G28=
-cloud.google.com/go/trace v1.4.0/go.mod h1:UG0v8UBqzusp+z63o7FK74SdFE+AXpCLdFb1rshXG+Y=
-cloud.google.com/go/trace v1.8.0/go.mod h1:zH7vcsbAhklH8hWFig58HvxcxyQbaIqMarMg9hn5ECA=
-cloud.google.com/go/trace v1.9.0/go.mod h1:lOQqpE5IaWY0Ixg7/r2SjixMuc6lfTFeO4QGM4dQWOk=
-cloud.google.com/go/translate v1.3.0/go.mod h1:gzMUwRjvOqj5i69y/LYLd8RrNQk+hOmIXTi9+nb3Djs=
-cloud.google.com/go/translate v1.4.0/go.mod h1:06Dn/ppvLD6WvA5Rhdp029IX2Mi3Mn7fpMRLPvXT5Wg=
-cloud.google.com/go/translate v1.5.0/go.mod h1:29YDSYveqqpA1CQFD7NQuP49xymq17RXNaUDdc0mNu0=
-cloud.google.com/go/translate v1.6.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
-cloud.google.com/go/translate v1.7.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
-cloud.google.com/go/video v1.8.0/go.mod h1:sTzKFc0bUSByE8Yoh8X0mn8bMymItVGPfTuUBUyRgxk=
-cloud.google.com/go/video v1.9.0/go.mod h1:0RhNKFRF5v92f8dQt0yhaHrEuH95m068JYOvLZYnJSw=
-cloud.google.com/go/video v1.12.0/go.mod h1:MLQew95eTuaNDEGriQdcYn0dTwf9oWiA4uYebxM5kdg=
-cloud.google.com/go/video v1.13.0/go.mod h1:ulzkYlYgCp15N2AokzKjy7MQ9ejuynOJdf1tR5lGthk=
-cloud.google.com/go/video v1.14.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
-cloud.google.com/go/video v1.15.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
-cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU=
-cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4=
-cloud.google.com/go/videointelligence v1.8.0/go.mod h1:dIcCn4gVDdS7yte/w+koiXn5dWVplOZkE+xwG9FgK+M=
-cloud.google.com/go/videointelligence v1.9.0/go.mod h1:29lVRMPDYHikk3v8EdPSaL8Ku+eMzDljjuvRs105XoU=
-cloud.google.com/go/videointelligence v1.10.0/go.mod h1:LHZngX1liVtUhZvi2uNS0VQuOzNi2TkY1OakiuoUOjU=
-cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0=
-cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo=
-cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo=
-cloud.google.com/go/vision/v2 v2.4.0/go.mod h1:VtI579ll9RpVTrdKdkMzckdnwMyX2JILb+MhPqRbPsY=
-cloud.google.com/go/vision/v2 v2.5.0/go.mod h1:MmaezXOOE+IWa+cS7OhRRLK2cNv1ZL98zhqFFZaaH2E=
-cloud.google.com/go/vision/v2 v2.6.0/go.mod h1:158Hes0MvOS9Z/bDMSFpjwsUrZ5fPrdwuyyvKSGAGMY=
-cloud.google.com/go/vision/v2 v2.7.0/go.mod h1:H89VysHy21avemp6xcf9b9JvZHVehWbET0uT/bcuY/0=
-cloud.google.com/go/vmmigration v1.2.0/go.mod h1:IRf0o7myyWFSmVR1ItrBSFLFD/rJkfDCUTO4vLlJvsE=
-cloud.google.com/go/vmmigration v1.3.0/go.mod h1:oGJ6ZgGPQOFdjHuocGcLqX4lc98YQ7Ygq8YQwHh9A7g=
-cloud.google.com/go/vmmigration v1.5.0/go.mod h1:E4YQ8q7/4W9gobHjQg4JJSgXXSgY21nA5r8swQV+Xxc=
-cloud.google.com/go/vmmigration v1.6.0/go.mod h1:bopQ/g4z+8qXzichC7GW1w2MjbErL54rk3/C843CjfY=
-cloud.google.com/go/vmwareengine v0.1.0/go.mod h1:RsdNEf/8UDvKllXhMz5J40XxDrNJNN4sagiox+OI208=
-cloud.google.com/go/vmwareengine v0.2.2/go.mod h1:sKdctNJxb3KLZkE/6Oui94iw/xs9PRNC2wnNLXsHvH8=
-cloud.google.com/go/vmwareengine v0.3.0/go.mod h1:wvoyMvNWdIzxMYSpH/R7y2h5h3WFkx6d+1TIsP39WGY=
-cloud.google.com/go/vpcaccess v1.4.0/go.mod h1:aQHVbTWDYUR1EbTApSVvMq1EnT57ppDmQzZ3imqIk4w=
-cloud.google.com/go/vpcaccess v1.5.0/go.mod h1:drmg4HLk9NkZpGfCmZ3Tz0Bwnm2+DKqViEpeEpOq0m8=
-cloud.google.com/go/vpcaccess v1.6.0/go.mod h1:wX2ILaNhe7TlVa4vC5xce1bCnqE3AeH27RV31lnmZes=
-cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE=
-cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg=
-cloud.google.com/go/webrisk v1.6.0/go.mod h1:65sW9V9rOosnc9ZY7A7jsy1zoHS5W9IAXv6dGqhMQMc=
-cloud.google.com/go/webrisk v1.7.0/go.mod h1:mVMHgEYH0r337nmt1JyLthzMr6YxwN1aAIEc2fTcq7A=
-cloud.google.com/go/webrisk v1.8.0/go.mod h1:oJPDuamzHXgUc+b8SiHRcVInZQuybnvEW72PqTc7sSg=
-cloud.google.com/go/websecurityscanner v1.3.0/go.mod h1:uImdKm2wyeXQevQJXeh8Uun/Ym1VqworNDlBXQevGMo=
-cloud.google.com/go/websecurityscanner v1.4.0/go.mod h1:ebit/Fp0a+FWu5j4JOmJEV8S8CzdTkAS77oDsiSqYWQ=
-cloud.google.com/go/websecurityscanner v1.5.0/go.mod h1:Y6xdCPy81yi0SQnDY1xdNTNpfY1oAgXUlcfN3B3eSng=
-cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0=
-cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M=
-cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
-cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
-cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
-git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY=
-github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
-github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
-github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0=
-github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI=
-github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
-github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-metrics v0.4.0/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
-github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230310173818-32f1caf87195/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
-github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
-github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
-github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
-github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
-github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
-github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
-github.com/go-fonts/liberation v0.2.0/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
-github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY=
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
-github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
-github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -730,8 +82,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -746,15 +96,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -763,20 +106,12 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -787,217 +122,64 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
-github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
-github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
-github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
-github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
-github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
-github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
-github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
-github.com/hashicorp/consul/api v1.20.0/go.mod h1:nR64eD44KQ59Of/ECwt2vUmIK2DKsDzAwTmwmLl8Wpo=
-github.com/hashicorp/consul/sdk v0.13.1/go.mod h1:SW/mM4LbKfqmMvcFu8v+eiQQ7oitXEFeiBe9StxERb0=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
-github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
-github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
-github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
-github.com/hashicorp/memberlist v0.5.0/go.mod h1:yvyXLpo0QaGE59Y7hDTsTzDD25JYBZ4mHgHUZ8lrOI0=
-github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
github.com/huandu/xstrings v1.3.1 h1:4jgBlKK6tLKFvO8u5pmYjG91cqytmDCDvGh7ECVFfFs=
github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA=
github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
-github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
-github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
-github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
-github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
-github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
-github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY=
github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/norwoodj/helm-docs v1.12.0 h1:loTBTwaed0vYShJDRZZ/MmD+0XqiiNpVva4CUBvCsuw=
-github.com/norwoodj/helm-docs v1.12.0/go.mod h1:pSD2NcqopI4luhnVbdX6gwnwrWP8BTTaWTY7yPlm9xY=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/norwoodj/helm-docs v1.13.0 h1:cOJIkYlXDkAZv4jmAD8lSY/KhSXpm+3DmSP2k+NHXjg=
+github.com/norwoodj/helm-docs v1.13.0/go.mod h1:9cj5SkwMsWXrOpVLlzDQaSaWdu7ogrn4OPDvcJgyrUY=
github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
-github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
-github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
-github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
-github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
-github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
-github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/sagikazarmark/crypt v0.10.0/go.mod h1:gwTNHQVoOS3xp9Xvz5LLR+1AauC5M6880z5NWzdhOyQ=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
-github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
@@ -1012,103 +194,50 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
-github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA=
-go.etcd.io/etcd/api/v3 v3.5.9/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k=
-go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY=
-go.etcd.io/etcd/client/pkg/v3 v3.5.9/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4=
-go.etcd.io/etcd/client/v2 v2.305.7/go.mod h1:GQGT5Z3TBuAQGvgPfhR7VPySu/SudxmEkRq9BgzFU6s=
-go.etcd.io/etcd/client/v3 v3.5.9/go.mod h1:i/Eo5LrZ5IKqpbtpPDuaUnDOUv471oDg8cjQaUr2MbA=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
-go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191002040644-a1355ae1e2c3/go.mod h1:NOZ3BPKG0ec/BKJQgnvsSFpcKLM5xXVWnvZS97DWHgE=
golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200119044424-58c23975cae1/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200618115811-c13761719519/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20210216034530-4410531fe030/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1120,7 +249,6 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -1131,16 +259,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -1148,11 +268,9 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -1169,40 +287,10 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1212,26 +300,6 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec=
-golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
-golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
-golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1242,18 +310,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1262,16 +320,10 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1283,8 +335,6 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1292,99 +342,29 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210304124612-50617c2ba197/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
-golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -1396,9 +376,7 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw
golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190927191325-030b2cf1153e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1422,45 +400,20 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
-gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
-gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0=
-gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA=
-gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
-gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
-gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY=
-gonum.org/v1/plot v0.10.1/go.mod h1:VZW5OlhkL1mysU9vaqNHnsy86inf6Ot+jB3r+BczCEo=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1480,45 +433,6 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513
google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
-google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
-google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
-google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
-google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
-google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
-google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
-google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
-google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
-google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
-google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
-google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI=
-google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08=
-google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70=
-google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo=
-google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0=
-google.golang.org/api v0.106.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
-google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
-google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
-google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1549,7 +463,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
@@ -1562,102 +475,7 @@ google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6D
google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
-google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
-google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
-google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE=
-google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc=
-google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw=
-google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
-google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
-google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U=
-google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
-google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
-google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
-google.golang.org/genproto v0.0.0-20221109142239-94d6d90a7d66/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221117204609-8f9c96812029/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221201204527-e3fa12d562f3/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
-google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230112194545-e10362b5ecf9/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230123190316-2c411cf9d197/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230127162408-596548ed4efa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230216225411-c8e22ba71e44/go.mod h1:8B0gmkoRebU8ukX6HP+4wrVQUY1+6PkQ44BSyIlflHA=
-google.golang.org/genproto v0.0.0-20230222225845-10f96fb3dbec/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
-google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
-google.golang.org/genproto v0.0.0-20230303212802-e74f57abe488/go.mod h1:TvhZT5f700eVlTNwND1xoEZQeWTB2RY/65kplwl/bFA=
-google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
-google.golang.org/genproto v0.0.0-20230320184635-7606e756e683/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
-google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1671,36 +489,9 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
-google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
-google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
-google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
-google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1711,33 +502,16 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1747,45 +521,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
k8s.io/helm v2.14.3+incompatible h1:uzotTcZXa/b2SWVoUzM1xiCXVjI38TuxMujS/1s+3Gw=
k8s.io/helm v2.14.3+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI=
-lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.36.2/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.36.3/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc=
-modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw=
-modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
-modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
-modernc.org/ccgo/v3 v3.16.8/go.mod h1:zNjwkizS+fIFDrDjIAgBSCLkWbJuHF+ar3QRn+Z9aws=
-modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo=
-modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
-modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
-modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
-modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A=
-modernc.org/libc v1.16.1/go.mod h1:JjJE0eu4yeK7tab2n4S1w8tlWd9MxXLRzheaRnAKymU=
-modernc.org/libc v1.16.17/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
-modernc.org/libc v1.16.19/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
-modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0=
-modernc.org/libc v1.17.1/go.mod h1:FZ23b+8LjxZs7XtFMbSzL/EhPxNbfZbErxEHc7cbD9s=
-modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
-modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
-modernc.org/memory v1.2.1/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sqlite v1.18.1/go.mod h1:6ho+Gow7oX5V+OiOQ6Tr4xeqbx13UZ6t+Fw9IRUG4d4=
-modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
-modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
-modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
-modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod
index 9ae20babd71..5bde933138b 100644
--- a/tools/src/kind/go.mod
+++ b/tools/src/kind/go.mod
@@ -1,6 +1,6 @@
module github.com/envoyproxy/gateway/tools/src/kind
-go 1.21
+go 1.22
require sigs.k8s.io/kind v0.22.0
diff --git a/tools/src/protoc-gen-go-grpc/go.mod b/tools/src/protoc-gen-go-grpc/go.mod
index 079bab201a9..d1a4ce8af09 100644
--- a/tools/src/protoc-gen-go-grpc/go.mod
+++ b/tools/src/protoc-gen-go-grpc/go.mod
@@ -1,6 +1,6 @@
module github.com/envoyproxy/gateway/tools/src/protoc-gen-go-grpc
-go 1.21
+go 1.22
require google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0
diff --git a/tools/src/protoc-gen-go/go.mod b/tools/src/protoc-gen-go/go.mod
index 5cbba95aa00..f8a47363e9e 100644
--- a/tools/src/protoc-gen-go/go.mod
+++ b/tools/src/protoc-gen-go/go.mod
@@ -1,5 +1,5 @@
module github.com/envoyproxy/gateway/tools/src/protoc-gen-go
-go 1.21
+go 1.22
require google.golang.org/protobuf v1.30.0
diff --git a/tools/src/setup-envtest/go.mod b/tools/src/setup-envtest/go.mod
index dfd3c5e8929..63d0027536d 100644
--- a/tools/src/setup-envtest/go.mod
+++ b/tools/src/setup-envtest/go.mod
@@ -1,6 +1,6 @@
module local
-go 1.21
+go 1.22
require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20220706173534-cd0058ad295c