diff --git a/docs/test-version.md b/docs/test-version.md
index 14125f1b6..7c8749713 100644
--- a/docs/test-version.md
+++ b/docs/test-version.md
@@ -9,11 +9,11 @@ The following Gateway API version and Ingress were tested as part of the release
| Tested Gateway API |
| ------------------------ |
-| v0.8.1 |
+| v1.0.0 |
### Tested Ingress
| Ingress | Tested version | Unavailable features |
| ------- | ----------------------- | ------------------------------ |
-| Istio | v1.19.3 | retry,httpoption |
+| Istio | v1.20.3 | retry,httpoption |
| Contour | v1.28.1 | httpoption,basics/http2,grpc,grpc/split,update |
diff --git a/hack/test-env.sh b/hack/test-env.sh
index 3928f620d..c570542cb 100755
--- a/hack/test-env.sh
+++ b/hack/test-env.sh
@@ -14,8 +14,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-export GATEWAY_API_VERSION="v0.8.1"
-export ISTIO_VERSION="1.19.3"
+export GATEWAY_API_VERSION="v1.0.0"
+export ISTIO_VERSION="1.20.3"
export ISTIO_UNSUPPORTED_E2E_TESTS="retry,httpoption"
export CONTOUR_VERSION="v1.28.1"
export CONTOUR_UNSUPPORTED_E2E_TESTS="httpoption,basics/http2,grpc,grpc/split,update"
diff --git a/third_party/gateway-api/gateway-api.yaml b/third_party/gateway-api/gateway-api.yaml
index 2de139274..bbb71f11f 100644
--- a/third_party/gateway-api/gateway-api.yaml
+++ b/third_party/gateway-api/gateway-api.yaml
@@ -17,14 +17,499 @@
#
---
#
+# config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ labels:
+ gateway.networking.k8s.io/policy: Direct
+ name: backendtlspolicies.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: BackendTLSPolicy
+ listKind: BackendTLSPolicyList
+ plural: backendtlspolicies
+ shortNames:
+ - btlspolicy
+ singular: backendtlspolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: BackendTLSPolicy provides a way to configure how a Gateway connects
+ to a Backend via TLS.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of BackendTLSPolicy.
+ properties:
+ targetRef:
+ description: "TargetRef identifies an API object to apply the policy
+ to. Only Services have Extended support. Implementations MAY support
+ additional objects, with Implementation Specific support. Note that
+ this config applies to the entire referenced resource by default,
+ but this default may change in the future to provide a more granular
+ application of the policy. \n Support: Extended for Kubernetes Service
+ \n Support: Implementation-specific for any other resource"
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace is the namespace of the referent. When
+ unspecified, the local namespace is inferred. Even when policy
+ targets a resource in a different namespace, it MUST only apply
+ to traffic originating from the same namespace as the policy.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. When unspecified, this targetRef targets the
+ entire resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name *
+ Service: Port Name \n If a SectionName is specified, but does
+ not exist on the targeted object, the Policy must fail to attach,
+ and the policy implementation should record a `ResolvedRefs`
+ or similar Condition in the Policy's status."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ tls:
+ description: TLS contains backend TLS policy configuration.
+ properties:
+ caCertRefs:
+ description: "CACertRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle,
+ which is used to validate a TLS handshake between the Gateway
+ and backend Pod. \n If CACertRefs is empty or unspecified, then
+ WellKnownCACerts must be specified. Only one of CACertRefs or
+ WellKnownCACerts may be specified, not both. If CACertRefs is
+ empty or unspecified, the configuration for WellKnownCACerts
+ MUST be honored instead. \n References to a resource in a different
+ namespace are invalid for the moment, although we will revisit
+ this in the future. \n A single CACertRef to a Kubernetes ConfigMap
+ kind has \"Core\" support. Implementations MAY choose to support
+ attaching multiple certificates to a backend, but this behavior
+ is implementation-specific. \n Support: Core - An optional single
+ reference to a Kubernetes ConfigMap, with the CA certificate
+ in a key named `ca.crt`. \n Support: Implementation-specific
+ (More than one reference, or other kinds of resources)."
+ items:
+ description: "LocalObjectReference identifies an API object
+ within the namespace of the referrer. The API object must
+ be valid in the cluster; the Group and Kind must be registered
+ in the cluster for this reference to be valid. \n References
+ to objects with invalid Group and Kind are not valid, and
+ must be rejected by the implementation, with appropriate Conditions
+ set on the containing object."
+ properties:
+ group:
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example "HTTPRoute"
+ or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ type: array
+ hostname:
+ description: "Hostname is used for two purposes in the connection
+ between Gateways and backends: \n 1. Hostname MUST be used as
+ the SNI to connect to the backend (RFC 6066). 2. Hostname MUST
+ be used for authentication and MUST match the certificate served
+ by the matching backend. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ wellKnownCACerts:
+ description: "WellKnownCACerts specifies whether system CA certificates
+ may be used in the TLS handshake between the gateway and backend
+ pod. \n If WellKnownCACerts is unspecified or empty (\"\"),
+ then CACertRefs must be specified with at least one entry for
+ a valid configuration. Only one of CACertRefs or WellKnownCACerts
+ may be specified, not both. \n Support: Core for \"System\""
+ enum:
+ - System
+ type: string
+ required:
+ - hostname
+ type: object
+ x-kubernetes-validations:
+ - message: must not contain both CACertRefs and WellKnownCACerts
+ rule: '!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts)
+ && self.wellKnownCACerts != "")'
+ - message: must specify either CACertRefs or WellKnownCACerts
+ rule: (has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts)
+ && self.wellKnownCACerts != "")
+ required:
+ - targetRef
+ - tls
+ type: object
+ status:
+ description: Status defines the current state of BackendTLSPolicy.
+ properties:
+ ancestors:
+ description: "Ancestors is a list of ancestor resources (usually Gateways)
+ that are associated with the policy, and the status of the policy
+ with respect to each ancestor. When this policy attaches to a parent,
+ the controller that manages the parent and the ancestors MUST add
+ an entry to this list when the controller first sees the policy
+ and SHOULD update the entry as appropriate when the relevant ancestor
+ is modified. \n Note that choosing the relevant ancestor is left
+ to the Policy designers; an important part of Policy design is designing
+ the right object level at which to namespace this status. \n Note
+ also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations
+ MUST use the ControllerName field to uniquely identify the entries
+ in this list that they are responsible for. \n Note that to achieve
+ this, the list of PolicyAncestorStatus structs MUST be treated as
+ a map with a composite key, made up of the AncestorRef and ControllerName
+ fields combined. \n A maximum of 16 ancestors will be represented
+ in this list. An empty list means the Policy is not relevant for
+ any ancestors. \n If this slice is full, implementations MUST NOT
+ add further entries. Instead they MUST consider the policy unimplementable
+ and signal that on any related resources such as the ancestor that
+ would be referenced here. For example, if this list was full on
+ BackendTLSPolicy, no additional Gateways would be able to reference
+ the Service targeted by the BackendTLSPolicy."
+ items:
+ description: "PolicyAncestorStatus describes the status of a route
+ with respect to an associated Ancestor. \n Ancestors refer to
+ objects that are either the Target of a policy or above it in
+ terms of object hierarchy. For example, if a policy targets a
+ Service, the Policy's Ancestors are, in order, the Service, the
+ HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
+ this hierarchy, the Gateway will be the most useful object to
+ place Policy status on, so we recommend that implementations SHOULD
+ use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise. \n In the context of policy
+ attachment, the Ancestor is used to distinguish which resource
+ results in a distinct application of this policy. For example,
+ if a policy targets a Service, it may have a distinct result per
+ attached Gateway. \n Policies targeting the same resource may
+ have different effects depending on the ancestors of those resources.
+ For example, different Gateways targeting the same Service may
+ have different capabilities, especially if they have different
+ underlying implementations. \n For example, in BackendTLSPolicy,
+ the Policy attaches to a Service that is used as a backend in
+ a HTTPRoute that is itself attached to a Gateway. In this case,
+ the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status. \n Note that a parent
+ is also an ancestor, so for objects where the parent is the relevant
+ object for status, this struct SHOULD still be used. \n This struct
+ is intended to be used in a slice that's effectively a map, with
+ a composite key made up of the AncestorRef and the ControllerName."
+ properties:
+ ancestorRef:
+ description: AncestorRef corresponds with a ParentRef in the
+ spec that this PolicyAncestorStatus struct describes the status
+ of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
# config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gatewayclasses.gateway.networking.k8s.io
@@ -55,10 +540,7 @@ spec:
name: Description
priority: 1
type: string
- deprecated: true
- deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and
- will be removed in a future release of the API. Please upgrade to v1beta1.
- name: v1alpha2
+ name: v1
schema:
openAPIV3Schema:
description: "GatewayClass describes a class of Gateways available to the
@@ -241,11 +723,40 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
+ supportedFeatures:
+ description: 'SupportedFeatures is the set of features the GatewayClass
+ support. It MUST be sorted in ascending alphabetical order. '
+ items:
+ description: SupportedFeature is used to describe distinct features
+ that are covered by conformance tests.
+ enum:
+ - Gateway
+ - GatewayPort8080
+ - GatewayStaticAddresses
+ - HTTPRoute
+ - HTTPRouteDestinationPortMatching
+ - HTTPRouteHostRewrite
+ - HTTPRouteMethodMatching
+ - HTTPRoutePathRedirect
+ - HTTPRoutePathRewrite
+ - HTTPRoutePortRedirect
+ - HTTPRouteQueryParamMatching
+ - HTTPRouteRequestMirror
+ - HTTPRouteRequestMultipleMirrors
+ - HTTPRouteResponseHeaderModification
+ - HTTPRouteSchemeRedirect
+ - Mesh
+ - ReferenceGrant
+ - TLSRoute
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
type: object
required:
- spec
type: object
- served: false
+ served: true
storage: false
subresources:
status: {}
@@ -446,6 +957,35 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
+ supportedFeatures:
+ description: 'SupportedFeatures is the set of features the GatewayClass
+ support. It MUST be sorted in ascending alphabetical order. '
+ items:
+ description: SupportedFeature is used to describe distinct features
+ that are covered by conformance tests.
+ enum:
+ - Gateway
+ - GatewayPort8080
+ - GatewayStaticAddresses
+ - HTTPRoute
+ - HTTPRouteDestinationPortMatching
+ - HTTPRouteHostRewrite
+ - HTTPRouteMethodMatching
+ - HTTPRoutePathRedirect
+ - HTTPRoutePathRewrite
+ - HTTPRoutePortRedirect
+ - HTTPRouteQueryParamMatching
+ - HTTPRouteRequestMirror
+ - HTTPRouteRequestMultipleMirrors
+ - HTTPRouteResponseHeaderModification
+ - HTTPRouteSchemeRedirect
+ - Mesh
+ - ReferenceGrant
+ - TLSRoute
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
type: object
required:
- spec
@@ -468,8 +1008,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gateways.gateway.networking.k8s.io
@@ -499,10 +1039,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- deprecated: true
- deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will
- be removed in a future release of the API. Please upgrade to v1beta1.
- name: v1alpha2
+ name: v1
schema:
openAPIV3Schema:
description: Gateway represents an instance of a service-traffic handling
@@ -532,14 +1069,12 @@ spec:
for the address(es) on the \"outside of the Gateway\", that traffic
bound for this Gateway will use. This could be the IP address or
hostname of an external load balancer or other networking infrastructure,
- or some other address that traffic will be sent to. \n The .listener.hostname
- field is used to route traffic that has already arrived at the Gateway
- to the correct in-cluster destination. \n If no Addresses are specified,
- the implementation MAY schedule the Gateway in an implementation-specific
- manner, assigning an appropriate set of Addresses. \n The implementation
- MUST bind all Listeners to every GatewayAddress that it assigns
- to the Gateway and add a corresponding entry in GatewayStatus.Addresses.
- \n Support: Extended \n "
+ or some other address that traffic will be sent to. \n If no Addresses
+ are specified, the implementation MAY schedule the Gateway in an
+ implementation-specific manner, assigning an appropriate set of
+ Addresses. \n The implementation MUST bind all Listeners to every
+ GatewayAddress that it assigns to the Gateway and add a corresponding
+ entry in GatewayStatus.Addresses. \n Support: Extended \n "
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
@@ -595,39 +1130,134 @@ spec:
maxLength: 253
minLength: 1
type: string
+ infrastructure:
+ description: "Infrastructure defines infrastructure level attributes
+ about this Gateway instance. \n Support: Core \n "
+ properties:
+ annotations:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Annotations that SHOULD be applied to any resources
+ created in response to this Gateway. \n For implementations
+ creating other Kubernetes objects, this should be the `metadata.annotations`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"annotations\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ annotations as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ labels:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Labels that SHOULD be applied to any resources created
+ in response to this Gateway. \n For implementations creating
+ other Kubernetes objects, this should be the `metadata.labels`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"labels\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ labels as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ type: object
listeners:
description: "Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses. At
- least one Listener MUST be specified. \n Each listener in a Gateway
- must have a unique combination of Hostname, Port, and Protocol.
- \n Within the HTTP Conformance Profile, the below combinations of
- port and protocol are considered Core and MUST be supported: \n
- 1. Port: 80, Protocol: HTTP 2. Port: 443, Protocol: HTTPS \n Within
- the TLS Conformance Profile, the below combinations of port and
- protocol are considered Core and MUST be supported: \n 1. Port:
- 443, Protocol: TLS \n Port and protocol combinations not listed
- above are considered Extended. \n An implementation MAY group Listeners
- by Port and then collapse each group of Listeners into a single
- Listener if the implementation determines that the Listeners in
- the group are \"compatible\". An implementation MAY also group together
- and collapse compatible Listeners belonging to different Gateways.
- \n For example, an implementation might consider Listeners to be
- compatible with each other if all of the following conditions are
- met: \n 1. Either each Listener within the group specifies the \"HTTP\"
- Protocol or each Listener within the group specifies either the
- \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group
- specifies a Hostname that is unique within the group. \n 3. As a
- special case, one Listener within a group may omit Hostname, in
- which case this Listener matches when no other Listener matches.
- \n If the implementation does collapse compatible Listeners, the
- hostname provided in the incoming client request MUST be matched
- to a Listener to find the correct set of Routes. The incoming hostname
- MUST be matched using the Hostname field for each Listener in order
- of most to least specific. That is, exact matches must be processed
- before wildcard matches. \n If this field specifies multiple Listeners
- that have the same Port value but are not compatible, the implementation
- must raise a \"Conflicted\" condition in the Listener status. \n
- Support: Core"
+ least one Listener MUST be specified. \n Each Listener in a set
+ of Listeners (for example, in a single Gateway) MUST be _distinct_,
+ in that a traffic flow MUST be able to be assigned to exactly one
+ listener. (This section uses \"set of Listeners\" rather than \"Listeners
+ in a single Gateway\" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules
+ _also_ apply in that case). \n Practically, this means that each
+ listener in a set MUST have a unique combination of Port, Protocol,
+ and, if supported by the protocol, Hostname. \n Some combinations
+ of port, protocol, and TLS settings are considered Core support
+ and MUST be supported by implementations based on their targeted
+ conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
+ Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
+ Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
+ 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
+ have the following property: \n The implementation can match inbound
+ requests to a single distinct Listener. When multiple Listeners
+ share values for fields (for example, two Listeners with the same
+ Port value), the implementation can match requests to only one of
+ the Listeners using other Listener fields. \n For example, the following
+ Listener scenarios are distinct: \n 1. Multiple Listeners with the
+ same Port that all use the \"HTTP\" Protocol that all have unique
+ Hostname values. 2. Multiple Listeners with the same Port that use
+ either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
+ values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
+ where no Listener with the same Protocol has the same Port value.
+ \n Some fields in the Listener struct have possible values that
+ affect whether the Listener is distinct. Hostname is particularly
+ relevant for HTTP or HTTPS protocols. \n When using the Hostname
+ value to select between same-Port, same-Protocol Listeners, the
+ Hostname value must be different on each Listener for the Listener
+ to be distinct. \n When the Listeners are distinct based on Hostname,
+ inbound request hostnames MUST match from the most specific to least
+ specific Hostname values to choose the correct Listener and its
+ associated set of Routes. \n Exact matches must be processed before
+ wildcard matches, and wildcard matches must be processed before
+ fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
+ takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
+ takes precedence over `\"\"`. \n Additionally, if there are multiple
+ wildcard entries, more specific wildcard entries must be processed
+ before less specific wildcard entries. For example, `\"*.foo.example.com\"`
+ takes precedence over `\"*.example.com\"`. The precise definition
+ here is that the higher the number of dots in the hostname to the
+ right of the wildcard character, the higher the precedence. \n The
+ wildcard character will match any number of characters _and dots_
+ to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
+ _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
+ that are not distinct, then those Listeners are Conflicted, and
+ the implementation MUST set the \"Conflicted\" condition in the
+ Listener Status to \"True\". \n Implementations MAY choose to accept
+ a Gateway with some Conflicted Listeners only if they only accept
+ the partial Listener set that contains no Conflicted Listeners.
+ To put this another way, implementations may accept a partial Listener
+ set only if they throw out *all* the conflicting Listeners. No picking
+ one of the conflicting listeners as the winner. This also means
+ that the Gateway must have at least one non-conflicting Listener
+ in this case, otherwise it violates the requirement that at least
+ one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
+ condition on the Gateway Status when the Gateway contains Conflicted
+ Listeners whether or not they accept the Gateway. That Condition
+ SHOULD clearly indicate in the Message which Listeners are conflicted,
+ and which are Accepted. Additionally, the Listener status for those
+ listeners SHOULD indicate which Listeners are conflicted and not
+ Accepted. \n A Gateway's Listeners are considered \"compatible\"
+ if: \n 1. They are distinct. 2. The implementation can serve them
+ in compliance with the Addresses requirement that all Listeners
+ are available on all assigned addresses. \n Compatible combinations
+ in Extended support are expected to vary across implementations.
+ A combination that is compatible for one implementation may not
+ be compatible for another. \n For example, an implementation that
+ cannot serve both TCP and UDP listeners on the same address, or
+ cannot mix HTTPS and generic TLS listens on the same port would
+ not consider those cases compatible, even though they are distinct.
+ \n Note that requests SHOULD match at most one Listener. For example,
+ if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
+ a request to \"foo.example.com\" SHOULD only be routed using routes
+ attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
+ Listener). This concept is known as \"Listener Isolation\". Implementations
+ that do not support Listener Isolation MUST clearly document this.
+ \n Implementations MAY merge separate Gateways onto a single set
+ of Addresses if all Listeners across all Gateways are compatible.
+ \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint
where a Gateway accepts network connections.
@@ -876,14 +1506,14 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the
- local namespace is specified, a ReferenceGrant object
- is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the
- ReferenceGrant documentation for details. \n Support:
- Core"
+ description: "Namespace is the namespace of the referenced
+ object. When unspecified, the local namespace is
+ inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to
+ allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details.
+ \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -985,13 +1615,15 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
- description: "Addresses lists the IP addresses that have actually
- been bound to the Gateway. These addresses may differ from the addresses
- in the Spec, e.g. if the Gateway automatically assigns an address
- from a reserved pool. \n "
+ description: "Addresses lists the network addresses that have been
+ bound to the Gateway. \n This list may differ from the addresses
+ provided in the spec under some conditions: \n * no addresses are
+ specified, all addresses are dynamically assigned * a combination
+ of specified and dynamic addresses are assigned * a specified address
+ was unusable (e.g. already in use) \n "
items:
- description: GatewayStatusAddress describes an address that is bound
- to a Gateway.
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
oneOf:
- properties:
type:
@@ -1127,8 +1759,23 @@ spec:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
- description: AttachedRoutes represents the total number of accepted
+ description: "AttachedRoutes represents the total number of
Routes that have been successfully attached to this Listener.
+ \n Successful attachment of a Route to a Listener is based
+ solely on the combination of the AllowedRoutes field on the
+ corresponding Listener and the Route's ParentRefs field. A
+ Route is successfully attached to a Listener when it is selected
+ by the Listener's AllowedRoutes field AND the Route has a
+ valid ParentRef selecting the whole Gateway resource or a
+ specific Listener as a parent resource (more detail on attachment
+ semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does
+ not impact successful attachment, i.e. the AttachedRoutes
+ field count MUST be set for Listeners with condition Accepted:
+ false and MUST count successfully attached Routes that may
+ themselves have Accepted: false conditions. \n Uses for this
+ field include troubleshooting Route attachment and measuring
+ blast radius/impact of changes to a Listener."
format: int32
type: integer
conditions:
@@ -1263,7 +1910,7 @@ spec:
required:
- spec
type: object
- served: false
+ served: true
storage: false
subresources:
status: {}
@@ -1310,14 +1957,12 @@ spec:
for the address(es) on the \"outside of the Gateway\", that traffic
bound for this Gateway will use. This could be the IP address or
hostname of an external load balancer or other networking infrastructure,
- or some other address that traffic will be sent to. \n The .listener.hostname
- field is used to route traffic that has already arrived at the Gateway
- to the correct in-cluster destination. \n If no Addresses are specified,
- the implementation MAY schedule the Gateway in an implementation-specific
- manner, assigning an appropriate set of Addresses. \n The implementation
- MUST bind all Listeners to every GatewayAddress that it assigns
- to the Gateway and add a corresponding entry in GatewayStatus.Addresses.
- \n Support: Extended \n "
+ or some other address that traffic will be sent to. \n If no Addresses
+ are specified, the implementation MAY schedule the Gateway in an
+ implementation-specific manner, assigning an appropriate set of
+ Addresses. \n The implementation MUST bind all Listeners to every
+ GatewayAddress that it assigns to the Gateway and add a corresponding
+ entry in GatewayStatus.Addresses. \n Support: Extended \n "
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
@@ -1373,39 +2018,134 @@ spec:
maxLength: 253
minLength: 1
type: string
+ infrastructure:
+ description: "Infrastructure defines infrastructure level attributes
+ about this Gateway instance. \n Support: Core \n "
+ properties:
+ annotations:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Annotations that SHOULD be applied to any resources
+ created in response to this Gateway. \n For implementations
+ creating other Kubernetes objects, this should be the `metadata.annotations`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"annotations\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ annotations as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ labels:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Labels that SHOULD be applied to any resources created
+ in response to this Gateway. \n For implementations creating
+ other Kubernetes objects, this should be the `metadata.labels`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"labels\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ labels as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ type: object
listeners:
description: "Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses. At
- least one Listener MUST be specified. \n Each listener in a Gateway
- must have a unique combination of Hostname, Port, and Protocol.
- \n Within the HTTP Conformance Profile, the below combinations of
- port and protocol are considered Core and MUST be supported: \n
- 1. Port: 80, Protocol: HTTP 2. Port: 443, Protocol: HTTPS \n Within
- the TLS Conformance Profile, the below combinations of port and
- protocol are considered Core and MUST be supported: \n 1. Port:
- 443, Protocol: TLS \n Port and protocol combinations not listed
- above are considered Extended. \n An implementation MAY group Listeners
- by Port and then collapse each group of Listeners into a single
- Listener if the implementation determines that the Listeners in
- the group are \"compatible\". An implementation MAY also group together
- and collapse compatible Listeners belonging to different Gateways.
- \n For example, an implementation might consider Listeners to be
- compatible with each other if all of the following conditions are
- met: \n 1. Either each Listener within the group specifies the \"HTTP\"
- Protocol or each Listener within the group specifies either the
- \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group
- specifies a Hostname that is unique within the group. \n 3. As a
- special case, one Listener within a group may omit Hostname, in
- which case this Listener matches when no other Listener matches.
- \n If the implementation does collapse compatible Listeners, the
- hostname provided in the incoming client request MUST be matched
- to a Listener to find the correct set of Routes. The incoming hostname
- MUST be matched using the Hostname field for each Listener in order
- of most to least specific. That is, exact matches must be processed
- before wildcard matches. \n If this field specifies multiple Listeners
- that have the same Port value but are not compatible, the implementation
- must raise a \"Conflicted\" condition in the Listener status. \n
- Support: Core"
+ least one Listener MUST be specified. \n Each Listener in a set
+ of Listeners (for example, in a single Gateway) MUST be _distinct_,
+ in that a traffic flow MUST be able to be assigned to exactly one
+ listener. (This section uses \"set of Listeners\" rather than \"Listeners
+ in a single Gateway\" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules
+ _also_ apply in that case). \n Practically, this means that each
+ listener in a set MUST have a unique combination of Port, Protocol,
+ and, if supported by the protocol, Hostname. \n Some combinations
+ of port, protocol, and TLS settings are considered Core support
+ and MUST be supported by implementations based on their targeted
+ conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
+ Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
+ Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
+ 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
+ have the following property: \n The implementation can match inbound
+ requests to a single distinct Listener. When multiple Listeners
+ share values for fields (for example, two Listeners with the same
+ Port value), the implementation can match requests to only one of
+ the Listeners using other Listener fields. \n For example, the following
+ Listener scenarios are distinct: \n 1. Multiple Listeners with the
+ same Port that all use the \"HTTP\" Protocol that all have unique
+ Hostname values. 2. Multiple Listeners with the same Port that use
+ either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
+ values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
+ where no Listener with the same Protocol has the same Port value.
+ \n Some fields in the Listener struct have possible values that
+ affect whether the Listener is distinct. Hostname is particularly
+ relevant for HTTP or HTTPS protocols. \n When using the Hostname
+ value to select between same-Port, same-Protocol Listeners, the
+ Hostname value must be different on each Listener for the Listener
+ to be distinct. \n When the Listeners are distinct based on Hostname,
+ inbound request hostnames MUST match from the most specific to least
+ specific Hostname values to choose the correct Listener and its
+ associated set of Routes. \n Exact matches must be processed before
+ wildcard matches, and wildcard matches must be processed before
+ fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
+ takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
+ takes precedence over `\"\"`. \n Additionally, if there are multiple
+ wildcard entries, more specific wildcard entries must be processed
+ before less specific wildcard entries. For example, `\"*.foo.example.com\"`
+ takes precedence over `\"*.example.com\"`. The precise definition
+ here is that the higher the number of dots in the hostname to the
+ right of the wildcard character, the higher the precedence. \n The
+ wildcard character will match any number of characters _and dots_
+ to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
+ _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
+ that are not distinct, then those Listeners are Conflicted, and
+ the implementation MUST set the \"Conflicted\" condition in the
+ Listener Status to \"True\". \n Implementations MAY choose to accept
+ a Gateway with some Conflicted Listeners only if they only accept
+ the partial Listener set that contains no Conflicted Listeners.
+ To put this another way, implementations may accept a partial Listener
+ set only if they throw out *all* the conflicting Listeners. No picking
+ one of the conflicting listeners as the winner. This also means
+ that the Gateway must have at least one non-conflicting Listener
+ in this case, otherwise it violates the requirement that at least
+ one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
+ condition on the Gateway Status when the Gateway contains Conflicted
+ Listeners whether or not they accept the Gateway. That Condition
+ SHOULD clearly indicate in the Message which Listeners are conflicted,
+ and which are Accepted. Additionally, the Listener status for those
+ listeners SHOULD indicate which Listeners are conflicted and not
+ Accepted. \n A Gateway's Listeners are considered \"compatible\"
+ if: \n 1. They are distinct. 2. The implementation can serve them
+ in compliance with the Addresses requirement that all Listeners
+ are available on all assigned addresses. \n Compatible combinations
+ in Extended support are expected to vary across implementations.
+ A combination that is compatible for one implementation may not
+ be compatible for another. \n For example, an implementation that
+ cannot serve both TCP and UDP listeners on the same address, or
+ cannot mix HTTPS and generic TLS listens on the same port would
+ not consider those cases compatible, even though they are distinct.
+ \n Note that requests SHOULD match at most one Listener. For example,
+ if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
+ a request to \"foo.example.com\" SHOULD only be routed using routes
+ attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
+ Listener). This concept is known as \"Listener Isolation\". Implementations
+ that do not support Listener Isolation MUST clearly document this.
+ \n Implementations MAY merge separate Gateways onto a single set
+ of Addresses if all Listeners across all Gateways are compatible.
+ \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint
where a Gateway accepts network connections.
@@ -1654,14 +2394,14 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the
- local namespace is specified, a ReferenceGrant object
- is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the
- ReferenceGrant documentation for details. \n Support:
- Core"
+ description: "Namespace is the namespace of the referenced
+ object. When unspecified, the local namespace is
+ inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to
+ allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details.
+ \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -1763,13 +2503,15 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
- description: "Addresses lists the IP addresses that have actually
- been bound to the Gateway. These addresses may differ from the addresses
- in the Spec, e.g. if the Gateway automatically assigns an address
- from a reserved pool. \n "
+ description: "Addresses lists the network addresses that have been
+ bound to the Gateway. \n This list may differ from the addresses
+ provided in the spec under some conditions: \n * no addresses are
+ specified, all addresses are dynamically assigned * a combination
+ of specified and dynamic addresses are assigned * a specified address
+ was unusable (e.g. already in use) \n "
items:
- description: GatewayStatusAddress describes an address that is bound
- to a Gateway.
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
oneOf:
- properties:
type:
@@ -1905,8 +2647,23 @@ spec:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
- description: AttachedRoutes represents the total number of accepted
+ description: "AttachedRoutes represents the total number of
Routes that have been successfully attached to this Listener.
+ \n Successful attachment of a Route to a Listener is based
+ solely on the combination of the AllowedRoutes field on the
+ corresponding Listener and the Route's ParentRefs field. A
+ Route is successfully attached to a Listener when it is selected
+ by the Listener's AllowedRoutes field AND the Route has a
+ valid ParentRef selecting the whole Gateway resource or a
+ specific Listener as a parent resource (more detail on attachment
+ semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does
+ not impact successful attachment, i.e. the AttachedRoutes
+ field count MUST be set for Listeners with condition Accepted:
+ false and MUST count successfully attached Routes that may
+ themselves have Accepted: false conditions. \n Uses for this
+ field include troubleshooting Route attachment and measuring
+ blast radius/impact of changes to a Listener."
format: int32
type: integer
conditions:
@@ -2059,8 +2816,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
@@ -2191,30 +2948,41 @@ spec:
for governing ParentRefs to Services - it is not possible to create
a \"producer\" route for a Service in a different namespace from
the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) \n This
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
API may be extended in the future to support additional kinds of
- parent resources. \n It is invalid to reference an identical parent
- more than once. It is valid to reference multiple distinct sections
- within the same parent resource, such as two separate Listeners
- on the same Gateway or two separate ports on the same Service. \n
- It is possible to separately reference multiple distinct objects
- that may be collapsed by an implementation. For example, some implementations
- may choose to merge compatible Gateway Listeners together. If that
- is the case, the list of routes attached to those resources should
- also be merged. \n Note that for ParentRefs that cross namespace
- boundaries, there are specific rules. Cross-namespace references
- are only valid if they are explicitly allowed by something in the
- namespace they are referring to. For example, Gateway has the AllowedRoutes
- field, and ReferenceGrant provides a generic way to enable other
- kinds of cross-namespace reference. \n ParentRefs from a Route to
- a Service in the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any namespace
- to the Service. \n ParentRefs from a Route to a Service in a different
- namespace are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same namespace
- as the Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route. \n "
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
@@ -2262,7 +3030,7 @@ spec:
the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
+ \n ParentRefs from a Route to a Service in the same namespace
are \"producer\" routes, which apply default routing rules
to inbound connections from any namespace to the Service.
\n ParentRefs from a Route to a Service in a different namespace
@@ -2270,7 +3038,7 @@ spec:
applied to outbound connections originating from the same
namespace as the Route, for which the intended destination
of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+ the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -2285,11 +3053,11 @@ spec:
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
+ must match both specified values. \n When the parent resource
is a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
+ values. \n Implementations MAY choose to support other parent
resources. Implementations supporting other types of parent
resources MUST clearly document how/if Port is interpreted.
\n For the purpose of status, an attachment is considered
@@ -2341,16 +3109,13 @@ spec:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && ( ( (!has(p1.__namespace__)
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
|| p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''') ) || ( has(p1.__namespace__) && has(p2.__namespace__)
- && p1.__namespace__ == p2.__namespace__ ) ) ? ( ( ( (!has(p1.sectionName)
- || p1.sectionName == '''') && (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0) ) || ( ( (has(p1.sectionName) && p1.sectionName
- != '''') || (has(p1.port) && p1.port != 0) ) && ( (has(p2.sectionName)
- && p2.sectionName != '''') || (has(p2.port) && p2.port != 0) )
- ) ) ): true ))'
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes
2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
@@ -2391,8 +3156,25 @@ spec:
Service \n Support: Implementation-specific for any other
resource \n Support for weight: Core"
items:
- description: GRPCBackendRef defines how a GRPCRoute forwards
- a gRPC request.
+ description: "GRPCBackendRef defines how a GRPCRoute forwards
+ a gRPC request. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ "
properties:
filters:
description: "Filters defined at this level MUST be executed
@@ -3658,7 +4440,7 @@ spec:
in the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides
a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
+ reference. \n ParentRefs from a Route to a Service in
the same namespace are \"producer\" routes, which apply
default routing rules to inbound connections from any
namespace to the Service. \n ParentRefs from a Route to
@@ -3666,7 +4448,7 @@ spec:
and these routing rules are only applied to outbound connections
originating from the same namespace as the Route, for
which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
+ a Service targeted as a ParentRef of the Route. \n Support:
Core"
maxLength: 63
minLength: 1
@@ -3683,11 +4465,11 @@ spec:
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
- both specified values. \n When the parent resource is
+ both specified values. \n When the parent resource is
a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are
specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
+ match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
@@ -3764,8 +4546,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: httproutes.gateway.networking.k8s.io
@@ -3787,10 +4569,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- deprecated: true
- deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and
- will be removed in a future release of the API. Please upgrade to v1beta1.
- name: v1alpha2
+ name: v1
schema:
openAPIV3Schema:
description: HTTPRoute provides a way to route HTTP requests. This includes
@@ -3883,30 +4662,41 @@ spec:
for governing ParentRefs to Services - it is not possible to create
a \"producer\" route for a Service in a different namespace from
the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) \n This
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
API may be extended in the future to support additional kinds of
- parent resources. \n It is invalid to reference an identical parent
- more than once. It is valid to reference multiple distinct sections
- within the same parent resource, such as two separate Listeners
- on the same Gateway or two separate ports on the same Service. \n
- It is possible to separately reference multiple distinct objects
- that may be collapsed by an implementation. For example, some implementations
- may choose to merge compatible Gateway Listeners together. If that
- is the case, the list of routes attached to those resources should
- also be merged. \n Note that for ParentRefs that cross namespace
- boundaries, there are specific rules. Cross-namespace references
- are only valid if they are explicitly allowed by something in the
- namespace they are referring to. For example, Gateway has the AllowedRoutes
- field, and ReferenceGrant provides a generic way to enable other
- kinds of cross-namespace reference. \n ParentRefs from a Route to
- a Service in the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any namespace
- to the Service. \n ParentRefs from a Route to a Service in a different
- namespace are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same namespace
- as the Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route. \n "
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
@@ -3954,7 +4744,7 @@ spec:
the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
+ \n ParentRefs from a Route to a Service in the same namespace
are \"producer\" routes, which apply default routing rules
to inbound connections from any namespace to the Service.
\n ParentRefs from a Route to a Service in a different namespace
@@ -3962,7 +4752,7 @@ spec:
applied to outbound connections originating from the same
namespace as the Route, for which the intended destination
of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+ the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -3977,11 +4767,11 @@ spec:
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
+ must match both specified values. \n When the parent resource
is a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
+ values. \n Implementations MAY choose to support other parent
resources. Implementations supporting other types of parent
resources MUST clearly document how/if Port is interpreted.
\n For the purpose of status, an attachment is considered
@@ -4033,16 +4823,13 @@ spec:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && ( ( (!has(p1.__namespace__)
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
|| p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''') ) || ( has(p1.__namespace__) && has(p2.__namespace__)
- && p1.__namespace__ == p2.__namespace__ ) ) ? ( ( ( (!has(p1.sectionName)
- || p1.sectionName == '''') && (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0) ) || ( ( (has(p1.sectionName) && p1.sectionName
- != '''') || (has(p1.port) && p1.port != 0) ) && ( (has(p2.sectionName)
- && p2.sectionName != '''') || (has(p2.port) && p2.port != 0) )
- ) ) ): true ))'
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes
2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
@@ -4088,8 +4875,25 @@ spec:
for Kubernetes ServiceImport \n Support: Implementation-specific
for any other resource \n Support for weight: Core"
items:
- description: HTTPBackendRef defines how a HTTPRoute should
- forward an HTTP request.
+ description: "HTTPBackendRef defines how a HTTPRoute forwards
+ a HTTP request. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ "
properties:
filters:
description: "Filters defined at this level should be
@@ -5875,6 +6679,48 @@ spec:
type: object
maxItems: 8
type: array
+ timeouts:
+ description: "Timeouts defines the timeouts that can be configured
+ for an HTTP request. \n Support: Extended \n "
+ properties:
+ backendRequest:
+ description: "BackendRequest specifies a timeout for an
+ individual request from the gateway to a backend. This
+ covers the time from when the request first starts being
+ sent from the gateway to when the full response has been
+ received from the backend. \n An entire client HTTP transaction
+ with a gateway, covered by the Request timeout, may result
+ in more than one call from the gateway to the destination
+ backend, for example, if automatic retries are supported.
+ \n Because the Request timeout encompasses the BackendRequest
+ timeout, the value of BackendRequest must be <= the value
+ of Request timeout. \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: "Request specifies the maximum duration for
+ a gateway to respond to an HTTP request. If the gateway
+ has not been able to respond before this deadline is met,
+ the gateway MUST return a timeout error. \n For example,
+ setting the `rules.timeouts.request` field to the value
+ `10s` in an `HTTPRoute` will cause a timeout if a client
+ request is taking longer than 10 seconds to complete.
+ \n This timeout is intended to cover as close to the whole
+ request-response transaction as possible although an implementation
+ MAY choose to start the timeout after the entire request
+ stream has been received instead of immediately after
+ the transaction is initiated by the client. \n When this
+ field is unspecified, request timeout behavior is implementation-specific.
+ \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
type: object
x-kubernetes-validations:
- message: RequestRedirect filter must not be used together with
@@ -6088,7 +6934,7 @@ spec:
in the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides
a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
+ reference. \n ParentRefs from a Route to a Service in
the same namespace are \"producer\" routes, which apply
default routing rules to inbound connections from any
namespace to the Service. \n ParentRefs from a Route to
@@ -6096,7 +6942,7 @@ spec:
and these routing rules are only applied to outbound connections
originating from the same namespace as the Route, for
which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
+ a Service targeted as a ParentRef of the Route. \n Support:
Core"
maxLength: 63
minLength: 1
@@ -6113,11 +6959,11 @@ spec:
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
- both specified values. \n When the parent resource is
+ both specified values. \n When the parent resource is
a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are
specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
+ match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
@@ -6178,7 +7024,7 @@ spec:
required:
- spec
type: object
- served: false
+ served: true
storage: false
subresources:
status: {}
@@ -6282,30 +7128,41 @@ spec:
for governing ParentRefs to Services - it is not possible to create
a \"producer\" route for a Service in a different namespace from
the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) \n This
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
API may be extended in the future to support additional kinds of
- parent resources. \n It is invalid to reference an identical parent
- more than once. It is valid to reference multiple distinct sections
- within the same parent resource, such as two separate Listeners
- on the same Gateway or two separate ports on the same Service. \n
- It is possible to separately reference multiple distinct objects
- that may be collapsed by an implementation. For example, some implementations
- may choose to merge compatible Gateway Listeners together. If that
- is the case, the list of routes attached to those resources should
- also be merged. \n Note that for ParentRefs that cross namespace
- boundaries, there are specific rules. Cross-namespace references
- are only valid if they are explicitly allowed by something in the
- namespace they are referring to. For example, Gateway has the AllowedRoutes
- field, and ReferenceGrant provides a generic way to enable other
- kinds of cross-namespace reference. \n ParentRefs from a Route to
- a Service in the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any namespace
- to the Service. \n ParentRefs from a Route to a Service in a different
- namespace are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same namespace
- as the Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route. \n "
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
@@ -6353,7 +7210,7 @@ spec:
the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
+ \n ParentRefs from a Route to a Service in the same namespace
are \"producer\" routes, which apply default routing rules
to inbound connections from any namespace to the Service.
\n ParentRefs from a Route to a Service in a different namespace
@@ -6361,7 +7218,7 @@ spec:
applied to outbound connections originating from the same
namespace as the Route, for which the intended destination
of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+ the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -6376,11 +7233,11 @@ spec:
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
+ must match both specified values. \n When the parent resource
is a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
+ values. \n Implementations MAY choose to support other parent
resources. Implementations supporting other types of parent
resources MUST clearly document how/if Port is interpreted.
\n For the purpose of status, an attachment is considered
@@ -6432,16 +7289,13 @@ spec:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && ( ( (!has(p1.__namespace__)
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
|| p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''') ) || ( has(p1.__namespace__) && has(p2.__namespace__)
- && p1.__namespace__ == p2.__namespace__ ) ) ? ( ( ( (!has(p1.sectionName)
- || p1.sectionName == '''') && (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0) ) || ( ( (has(p1.sectionName) && p1.sectionName
- != '''') || (has(p1.port) && p1.port != 0) ) && ( (has(p2.sectionName)
- && p2.sectionName != '''') || (has(p2.port) && p2.port != 0) )
- ) ) ): true ))'
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes
2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
@@ -6487,8 +7341,25 @@ spec:
for Kubernetes ServiceImport \n Support: Implementation-specific
for any other resource \n Support for weight: Core"
items:
- description: HTTPBackendRef defines how a HTTPRoute should
- forward an HTTP request.
+ description: "HTTPBackendRef defines how a HTTPRoute forwards
+ a HTTP request. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ "
properties:
filters:
description: "Filters defined at this level should be
@@ -8274,6 +9145,48 @@ spec:
type: object
maxItems: 8
type: array
+ timeouts:
+ description: "Timeouts defines the timeouts that can be configured
+ for an HTTP request. \n Support: Extended \n "
+ properties:
+ backendRequest:
+ description: "BackendRequest specifies a timeout for an
+ individual request from the gateway to a backend. This
+ covers the time from when the request first starts being
+ sent from the gateway to when the full response has been
+ received from the backend. \n An entire client HTTP transaction
+ with a gateway, covered by the Request timeout, may result
+ in more than one call from the gateway to the destination
+ backend, for example, if automatic retries are supported.
+ \n Because the Request timeout encompasses the BackendRequest
+ timeout, the value of BackendRequest must be <= the value
+ of Request timeout. \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: "Request specifies the maximum duration for
+ a gateway to respond to an HTTP request. If the gateway
+ has not been able to respond before this deadline is met,
+ the gateway MUST return a timeout error. \n For example,
+ setting the `rules.timeouts.request` field to the value
+ `10s` in an `HTTPRoute` will cause a timeout if a client
+ request is taking longer than 10 seconds to complete.
+ \n This timeout is intended to cover as close to the whole
+ request-response transaction as possible although an implementation
+ MAY choose to start the timeout after the entire request
+ stream has been received instead of immediately after
+ the transaction is initiated by the client. \n When this
+ field is unspecified, request timeout behavior is implementation-specific.
+ \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
type: object
x-kubernetes-validations:
- message: RequestRedirect filter must not be used together with
@@ -8487,7 +9400,7 @@ spec:
in the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides
a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
+ reference. \n ParentRefs from a Route to a Service in
the same namespace are \"producer\" routes, which apply
default routing rules to inbound connections from any
namespace to the Service. \n ParentRefs from a Route to
@@ -8495,7 +9408,7 @@ spec:
and these routing rules are only applied to outbound connections
originating from the same namespace as the Route, for
which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
+ a Service targeted as a ParentRef of the Route. \n Support:
Core"
maxLength: 63
minLength: 1
@@ -8512,11 +9425,11 @@ spec:
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
- both specified values. \n When the parent resource is
+ both specified values. \n When the parent resource is
a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are
specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
+ match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
@@ -8595,8 +9508,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: referencegrants.gateway.networking.k8s.io
@@ -8884,8 +9797,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tcproutes.gateway.networking.k8s.io
@@ -8938,30 +9851,41 @@ spec:
for governing ParentRefs to Services - it is not possible to create
a \"producer\" route for a Service in a different namespace from
the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) \n This
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
API may be extended in the future to support additional kinds of
- parent resources. \n It is invalid to reference an identical parent
- more than once. It is valid to reference multiple distinct sections
- within the same parent resource, such as two separate Listeners
- on the same Gateway or two separate ports on the same Service. \n
- It is possible to separately reference multiple distinct objects
- that may be collapsed by an implementation. For example, some implementations
- may choose to merge compatible Gateway Listeners together. If that
- is the case, the list of routes attached to those resources should
- also be merged. \n Note that for ParentRefs that cross namespace
- boundaries, there are specific rules. Cross-namespace references
- are only valid if they are explicitly allowed by something in the
- namespace they are referring to. For example, Gateway has the AllowedRoutes
- field, and ReferenceGrant provides a generic way to enable other
- kinds of cross-namespace reference. \n ParentRefs from a Route to
- a Service in the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any namespace
- to the Service. \n ParentRefs from a Route to a Service in a different
- namespace are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same namespace
- as the Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route. \n "
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
@@ -9009,7 +9933,7 @@ spec:
the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
+ \n ParentRefs from a Route to a Service in the same namespace
are \"producer\" routes, which apply default routing rules
to inbound connections from any namespace to the Service.
\n ParentRefs from a Route to a Service in a different namespace
@@ -9017,7 +9941,7 @@ spec:
applied to outbound connections originating from the same
namespace as the Route, for which the intended destination
of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+ the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -9032,11 +9956,11 @@ spec:
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
+ must match both specified values. \n When the parent resource
is a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
+ values. \n Implementations MAY choose to support other parent
resources. Implementations supporting other types of parent
resources MUST clearly document how/if Port is interpreted.
\n For the purpose of status, an attachment is considered
@@ -9088,16 +10012,13 @@ spec:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && ( ( (!has(p1.__namespace__)
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
|| p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''') ) || ( has(p1.__namespace__) && has(p2.__namespace__)
- && p1.__namespace__ == p2.__namespace__ ) ) ? ( ( ( (!has(p1.sectionName)
- || p1.sectionName == '''') && (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0) ) || ( ( (has(p1.sectionName) && p1.sectionName
- != '''') || (has(p1.port) && p1.port != 0) ) && ( (has(p2.sectionName)
- && p2.sectionName != '''') || (has(p2.port) && p2.port != 0) )
- ) ) ): true ))'
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes
2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
@@ -9132,7 +10053,24 @@ spec:
namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace
to allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details."
+ See the ReferenceGrant documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ \n Note that when the
+ BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here.
+ See the fields where this struct is used for more information
+ about the exact behavior."
properties:
group:
default: ""
@@ -9392,7 +10330,7 @@ spec:
in the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides
a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
+ reference. \n ParentRefs from a Route to a Service in
the same namespace are \"producer\" routes, which apply
default routing rules to inbound connections from any
namespace to the Service. \n ParentRefs from a Route to
@@ -9400,7 +10338,7 @@ spec:
and these routing rules are only applied to outbound connections
originating from the same namespace as the Route, for
which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
+ a Service targeted as a ParentRef of the Route. \n Support:
Core"
maxLength: 63
minLength: 1
@@ -9417,11 +10355,11 @@ spec:
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
- both specified values. \n When the parent resource is
+ both specified values. \n When the parent resource is
a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are
specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
+ match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
@@ -9500,8 +10438,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tlsroutes.gateway.networking.k8s.io
@@ -9600,30 +10538,41 @@ spec:
for governing ParentRefs to Services - it is not possible to create
a \"producer\" route for a Service in a different namespace from
the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) \n This
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
API may be extended in the future to support additional kinds of
- parent resources. \n It is invalid to reference an identical parent
- more than once. It is valid to reference multiple distinct sections
- within the same parent resource, such as two separate Listeners
- on the same Gateway or two separate ports on the same Service. \n
- It is possible to separately reference multiple distinct objects
- that may be collapsed by an implementation. For example, some implementations
- may choose to merge compatible Gateway Listeners together. If that
- is the case, the list of routes attached to those resources should
- also be merged. \n Note that for ParentRefs that cross namespace
- boundaries, there are specific rules. Cross-namespace references
- are only valid if they are explicitly allowed by something in the
- namespace they are referring to. For example, Gateway has the AllowedRoutes
- field, and ReferenceGrant provides a generic way to enable other
- kinds of cross-namespace reference. \n ParentRefs from a Route to
- a Service in the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any namespace
- to the Service. \n ParentRefs from a Route to a Service in a different
- namespace are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same namespace
- as the Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route. \n "
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
@@ -9671,7 +10620,7 @@ spec:
the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
+ \n ParentRefs from a Route to a Service in the same namespace
are \"producer\" routes, which apply default routing rules
to inbound connections from any namespace to the Service.
\n ParentRefs from a Route to a Service in a different namespace
@@ -9679,7 +10628,7 @@ spec:
applied to outbound connections originating from the same
namespace as the Route, for which the intended destination
of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+ the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -9694,11 +10643,11 @@ spec:
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
+ must match both specified values. \n When the parent resource
is a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
+ values. \n Implementations MAY choose to support other parent
resources. Implementations supporting other types of parent
resources MUST clearly document how/if Port is interpreted.
\n For the purpose of status, an attachment is considered
@@ -9750,16 +10699,13 @@ spec:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && ( ( (!has(p1.__namespace__)
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
|| p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''') ) || ( has(p1.__namespace__) && has(p2.__namespace__)
- && p1.__namespace__ == p2.__namespace__ ) ) ? ( ( ( (!has(p1.sectionName)
- || p1.sectionName == '''') && (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0) ) || ( ( (has(p1.sectionName) && p1.sectionName
- != '''') || (has(p1.port) && p1.port != 0) ) && ( (has(p2.sectionName)
- && p2.sectionName != '''') || (has(p2.port) && p2.port != 0) )
- ) ) ): true ))'
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes
2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
@@ -9797,7 +10743,24 @@ spec:
namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace
to allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details."
+ See the ReferenceGrant documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ \n Note that when the
+ BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here.
+ See the fields where this struct is used for more information
+ about the exact behavior."
properties:
group:
default: ""
@@ -10057,7 +11020,7 @@ spec:
in the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides
a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
+ reference. \n ParentRefs from a Route to a Service in
the same namespace are \"producer\" routes, which apply
default routing rules to inbound connections from any
namespace to the Service. \n ParentRefs from a Route to
@@ -10065,7 +11028,7 @@ spec:
and these routing rules are only applied to outbound connections
originating from the same namespace as the Route, for
which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
+ a Service targeted as a ParentRef of the Route. \n Support:
Core"
maxLength: 63
minLength: 1
@@ -10082,11 +11045,11 @@ spec:
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
- both specified values. \n When the parent resource is
+ both specified values. \n When the parent resource is
a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are
specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
+ match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
@@ -10165,8 +11128,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245
- gateway.networking.k8s.io/bundle-version: v0.8.1
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: udproutes.gateway.networking.k8s.io
@@ -10219,30 +11182,41 @@ spec:
for governing ParentRefs to Services - it is not possible to create
a \"producer\" route for a Service in a different namespace from
the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) \n This
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
API may be extended in the future to support additional kinds of
- parent resources. \n It is invalid to reference an identical parent
- more than once. It is valid to reference multiple distinct sections
- within the same parent resource, such as two separate Listeners
- on the same Gateway or two separate ports on the same Service. \n
- It is possible to separately reference multiple distinct objects
- that may be collapsed by an implementation. For example, some implementations
- may choose to merge compatible Gateway Listeners together. If that
- is the case, the list of routes attached to those resources should
- also be merged. \n Note that for ParentRefs that cross namespace
- boundaries, there are specific rules. Cross-namespace references
- are only valid if they are explicitly allowed by something in the
- namespace they are referring to. For example, Gateway has the AllowedRoutes
- field, and ReferenceGrant provides a generic way to enable other
- kinds of cross-namespace reference. \n ParentRefs from a Route to
- a Service in the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any namespace
- to the Service. \n ParentRefs from a Route to a Service in a different
- namespace are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same namespace
- as the Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route. \n "
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
@@ -10290,7 +11264,7 @@ spec:
the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
+ \n ParentRefs from a Route to a Service in the same namespace
are \"producer\" routes, which apply default routing rules
to inbound connections from any namespace to the Service.
\n ParentRefs from a Route to a Service in a different namespace
@@ -10298,7 +11272,7 @@ spec:
applied to outbound connections originating from the same
namespace as the Route, for which the intended destination
of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+ the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -10313,11 +11287,11 @@ spec:
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
+ must match both specified values. \n When the parent resource
is a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
+ values. \n Implementations MAY choose to support other parent
resources. Implementations supporting other types of parent
resources MUST clearly document how/if Port is interpreted.
\n For the purpose of status, an attachment is considered
@@ -10369,16 +11343,13 @@ spec:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && ( ( (!has(p1.__namespace__)
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
|| p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''') ) || ( has(p1.__namespace__) && has(p2.__namespace__)
- && p1.__namespace__ == p2.__namespace__ ) ) ? ( ( ( (!has(p1.sectionName)
- || p1.sectionName == '''') && (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0) ) || ( ( (has(p1.sectionName) && p1.sectionName
- != '''') || (has(p1.port) && p1.port != 0) ) && ( (has(p2.sectionName)
- && p2.sectionName != '''') || (has(p2.port) && p2.port != 0) )
- ) ) ): true ))'
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes
2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
@@ -10413,7 +11384,24 @@ spec:
namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace
to allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details."
+ See the ReferenceGrant documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ \n Note that when the
+ BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here.
+ See the fields where this struct is used for more information
+ about the exact behavior."
properties:
group:
default: ""
@@ -10673,7 +11661,7 @@ spec:
in the namespace they are referring to. For example: Gateway
has the AllowedRoutes field, and ReferenceGrant provides
a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
+ reference. \n ParentRefs from a Route to a Service in
the same namespace are \"producer\" routes, which apply
default routing rules to inbound connections from any
namespace to the Service. \n ParentRefs from a Route to
@@ -10681,7 +11669,7 @@ spec:
and these routing rules are only applied to outbound connections
originating from the same namespace as the Route, for
which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
+ a Service targeted as a ParentRef of the Route. \n Support:
Core"
maxLength: 63
minLength: 1
@@ -10698,11 +11686,11 @@ spec:
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
- both specified values. \n When the parent resource is
+ both specified values. \n When the parent resource is
a Service, this targets a specific port in the Service
spec. When both Port (experimental) and SectionName are
specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
+ match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
@@ -10773,286 +11761,3 @@ status:
plural: ""
conditions: null
storedVersions: null
----
-#
-# config/webhook/0-namespace.yaml
-#
-apiVersion: v1
-kind: Namespace
-metadata:
- name: gateway-system
- labels:
- pod-security.kubernetes.io/enforce: restricted
- pod-security.kubernetes.io/audit: restricted
- pod-security.kubernetes.io/warn: restricted
----
-#
-# config/webhook/admission_webhook.yaml
-#
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: gateway-api-admission
-webhooks:
-- name: validate.gateway.networking.k8s.io
- matchPolicy: Equivalent
- rules:
- - operations: [ "CREATE" , "UPDATE" ]
- apiGroups: [ "gateway.networking.k8s.io" ]
- apiVersions: [ "v1alpha2", "v1beta1" ]
- resources: [ "gateways", "gatewayclasses", "httproutes" ]
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: gateway-api-admission-server
- namespace: gateway-system
- path: "/validate"
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- name: gateway-api-webhook-server
- name: gateway-api-admission-server
- namespace: gateway-system
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: 8443
- selector:
- name: gateway-api-admission-server
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: gateway-api-admission-server
- namespace: gateway-system
- labels:
- name: gateway-api-admission-server
-spec:
- replicas: 1
- selector:
- matchLabels:
- name: gateway-api-admission-server
- template:
- metadata:
- name: gateway-api-admission-server
- labels:
- name: gateway-api-admission-server
- spec:
- containers:
- - name: webhook
- image: registry.k8s.io/gateway-api/admission-server:v0.8.1
- imagePullPolicy: IfNotPresent
- args:
- - -logtostderr
- - --tlsCertFile=/etc/certs/cert
- - --tlsKeyFile=/etc/certs/key
- - -v=10
- - 2>&1
- ports:
- - containerPort: 8443
- name: webhook
- resources:
- limits:
- memory: 50Mi
- cpu: 100m
- requests:
- memory: 50Mi
- cpu: 100m
- volumeMounts:
- - name: webhook-certs
- mountPath: /etc/certs
- readOnly: true
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 65532
- runAsGroup: 65532
- capabilities:
- drop:
- - "ALL"
- seccompProfile:
- type: RuntimeDefault
- volumes:
- - name: webhook-certs
- secret:
- secretName: gateway-api-admission
----
-#
-# config/webhook/certificate_config.yaml
-#
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: gateway-api-admission
- labels:
- name: gateway-api-webhook
- namespace: gateway-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: gateway-api-admission
- labels:
- name: gateway-api
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: gateway-api-admission
- annotations:
- labels:
- name: gateway-api-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: gateway-api-admission
-subjects:
-- kind: ServiceAccount
- name: gateway-api-admission
- namespace: gateway-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: gateway-api-admission
- annotations:
- labels:
- name: gateway-api-webhook
- namespace: gateway-system
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: gateway-api-admission
- annotations:
- labels:
- name: gateway-api-webhook
- namespace: gateway-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: gateway-api-admission
-subjects:
-- kind: ServiceAccount
- name: gateway-api-admission
- namespace: gateway-system
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: gateway-api-admission
- annotations:
- labels:
- name: gateway-api-webhook
- namespace: gateway-system
-spec:
- template:
- metadata:
- name: gateway-api-admission-create
- labels:
- name: gateway-api-webhook
- spec:
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=gateway-api-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 2000
- runAsGroup: 2000
- capabilities:
- drop:
- - "ALL"
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: gateway-api-admission
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
- runAsGroup: 2000
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: gateway-api-admission-patch
- labels:
- name: gateway-api-webhook
- namespace: gateway-system
-spec:
- template:
- metadata:
- name: gateway-api-admission-patch
- labels:
- name: gateway-api-webhook
- spec:
- containers:
- - name: patch
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=gateway-api-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --patch-validating=true
- - --secret-name=gateway-api-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 2000
- runAsGroup: 2000
- capabilities:
- drop:
- - "ALL"
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: gateway-api-admission
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
- runAsGroup: 2000