diff --git a/.github/workflows/.env/nightly-tests/max_versions.env b/.github/workflows/.env/nightly-tests/max_versions.env index 0579a4f1c78..d9ad8987a8f 100644 --- a/.github/workflows/.env/nightly-tests/max_versions.env +++ b/.github/workflows/.env/nightly-tests/max_versions.env @@ -4,4 +4,4 @@ kind_version='v0.30.0' helm_version='v3.18.6' argocd_version='v3.1.1' istio_version='1.27.0' -k8sgateway_api_version='v1.3.0' +k8sgateway_api_version='v1.4.0' diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index 6505f55830d..d9de6874eb2 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -45,11 +45,11 @@ jobs: uses: actions/checkout@v4 - name: Prep Go Runner uses: ./.github/workflows/composite-actions/prep-go-runner - - uses: golangci/golangci-lint-action@v6 + - uses: golangci/golangci-lint-action@v7 # `make analyze` runs the linter with similar arguments to what we use here. # If this action fails, try running `make analyze` locally. with: - version: v1.64.5 + version: v2.7.2 args: --verbose --modules-download-mode=readonly --allow-parallel-runners skip-cache: true skip-save-cache: true diff --git a/.golangci.yaml b/.golangci.yaml index ab1c4bb4521..7f3231cb89d 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -5,9 +5,11 @@ # * https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml # * https://golangci-lint.run/usage/configuration/ # +version: "2" + linters: - # Disable all linters. - disable-all: true + # Disable all linters by default. + default: none # Enable specific linters # https://golangci-lint.run/usage/linters/#enabled-by-default enable: @@ -17,45 +19,43 @@ linters: # See: https://github.com/solo-io/gloo-mesh-enterprise/blob/main/.golangci.yaml for a reference - bodyclose - ginkgolinter - - goimports - nakedret - predeclared - usestdlibvars - importas - -# Settings dedicated to specific linters. -linters-settings: - importas: - alias: - - pkg: k8s.io/api/apps/v1 - alias: appsv1 - - pkg: k8s.io/api/core/v1 - alias: corev1 - - pkg: k8s.io/apimachinery/pkg/apis/meta/v1 - alias: metav1 - - pkg: k8s.io/api/batch/v1 - alias: batchv1 - - pkg: github.com/solo-io/gloo/test/kubernetes/testutils/clients - alias: kubetestclients - nakedret: - # The team consensus is that naked returns hinder the readability of the code. - # However, named return values can still be useful as documentation for certain scenarios. - # By setting this to 0 in lieu of the default 30, we will effectively allow named return - # values as long as they are included in the return statement(s) e.g. - # func foo() (a, b int) { - # a = 1 - # b = 2 - # c := 3 - # d := 4 - # // These are allowed - # return a, b - # return c, d - # return d, c - # // This is NOT allowed - # return - # // This is allowed but really, really bad. DO NOT do this. - # return b, a - max-func-lines: 0 + # Settings dedicated to specific linters. + settings: + importas: + alias: + - pkg: k8s.io/api/apps/v1 + alias: appsv1 + - pkg: k8s.io/api/core/v1 + alias: corev1 + - pkg: k8s.io/apimachinery/pkg/apis/meta/v1 + alias: metav1 + - pkg: k8s.io/api/batch/v1 + alias: batchv1 + - pkg: github.com/solo-io/gloo/test/kubernetes/testutils/clients + alias: kubetestclients + nakedret: + # The team consensus is that naked returns hinder the readability of the code. + # However, named return values can still be useful as documentation for certain scenarios. + # By setting this to 0 in lieu of the default 30, we will effectively allow named return + # values as long as they are included in the return statement(s) e.g. + # func foo() (a, b int) { + # a = 1 + # b = 2 + # c := 3 + # d := 4 + # // These are allowed + # return a, b + # return c, d + # return d, c + # // This is NOT allowed + # return + # // This is allowed but really, really bad. DO NOT do this. + # return b, a + max-func-lines: 0 issues: # Maximum count of issues with the same text. @@ -84,17 +84,13 @@ run: # output configuration options output: - # Use default format - # Default: - # formats: - # - format: colored-line-number - # path: stdout - - # Print lines of code with issue. - print-issued-lines: true + formats: + text: + path: stdout + print-linter-name: true + print-issued-lines: true - # Print linter name in the end of issue text. - print-linter-name: true - - # Sort results by: filepath, line and column. - sort-results: true +# Formatters configuration (v2) +formatters: + enable: + - goimports diff --git a/.trivyignore b/.trivyignore index bc972b0d3c2..10441889e73 100644 --- a/.trivyignore +++ b/.trivyignore @@ -93,3 +93,7 @@ CVE-2025-46569 # https://github.com/advisories/GHSA-wq9g-9vfc-cfq9 # This CVE has been addressed in v1.18.x and later. We have opted to ignore it in v1.17.x because it only affects Portal, which is no longer has any known users on this branch. We will remove this CVE from .trivyignore when v1.17.x is no longer supported. ([issue link](https://github.com/solo-io/gloo/issues/10925)) CVE-2025-30153 + +# https://github.com/advisories/GHSA-pwhc-rpq9-4c8w +# This CVE does not affect the library but the installable +CVE-2024-25621 diff --git a/Makefile b/Makefile index 22cadc12b4e..24733d3c98e 100644 --- a/Makefile +++ b/Makefile @@ -182,11 +182,11 @@ install-go-tools: mod-download ## Download and install Go dependencies go install github.com/golang/protobuf/protoc-gen-go go install golang.org/x/tools/cmd/goimports go install github.com/cratonica/2goarray - go install github.com/golang/mock/mockgen + go install go.uber.org/mock/mockgen go install github.com/saiskee/gettercheck go install github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION) # This version must stay in sync with the version used in CI: .github/workflows/static-analysis.yaml - go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(LINTER_VERSION) + go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(LINTER_VERSION) go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.16 # Kubebuilder docs generation go install fybrik.io/crdoc@v0.6.3 diff --git a/changelog/v1.21.0-beta10/support-glob-rbac-v1.21.0-beta7.yaml b/changelog/v1.21.0-beta10/support-glob-rbac-v1.21.0-beta7.yaml new file mode 100644 index 00000000000..93c3722330c --- /dev/null +++ b/changelog/v1.21.0-beta10/support-glob-rbac-v1.21.0-beta7.yaml @@ -0,0 +1,6 @@ +changelog: +- type: NEW_FEATURE + description: > + Updating RBAC proto to enable support for glob claim types + issueLink: https://github.com/solo-io/solo-projects/issues/8612 + resolvesIssue: false diff --git a/changelog/v1.21.0-beta7/bump-gwapi-1.4.yaml b/changelog/v1.21.0-beta7/bump-gwapi-1.4.yaml new file mode 100644 index 00000000000..9005e829245 --- /dev/null +++ b/changelog/v1.21.0-beta7/bump-gwapi-1.4.yaml @@ -0,0 +1,81 @@ +changelog: +- type: DEPENDENCY_BUMP + dependencyOwner: sigs.k8s.io + dependencyRepo: gateway-api + dependencyTag: v1.4.1 +- type: DEPENDENCY_BUMP + dependencyOwner: sigs.k8s.io + dependencyRepo: controller-runtime + dependencyTag: v0.22.1 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: cloud-builders + dependencyTag: v0.14.0 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: api + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: apiextensions-apiserver + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: apimachinery + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: apiserver + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: cli-runtime + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: client-go + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: code-generator + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: component-base + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: component-helpers + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: kubectl + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: k8s.io + dependencyRepo: metrics + dependencyTag: v0.34.2 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: go-utils + dependencyTag: v0.29.0 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: k8s-utils + dependencyTag: v0.12.0 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: protoc-gen-openapi + dependencyTag: v0.4.0 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: skv2 + dependencyTag: v0.45.0 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: solo-apis + dependencyTag: v0.0.0-20251212201919-e8dd072aea09 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: solo-kit + dependencyTag: v0.40.0 \ No newline at end of file diff --git a/changelog/v1.21.0-beta7/ignore-CVE-2024-25621.yaml b/changelog/v1.21.0-beta7/ignore-CVE-2024-25621.yaml new file mode 100644 index 00000000000..e1dda708795 --- /dev/null +++ b/changelog/v1.21.0-beta7/ignore-CVE-2024-25621.yaml @@ -0,0 +1,5 @@ +changelog: +- type: NON_USER_FACING + description: Add CVE-2024-25621 to .trivyignore + issueLink: https://github.com/solo-io/gloo/issues/11070 + diff --git a/changelog/v1.21.0-beta8/hardcode-gk.yaml b/changelog/v1.21.0-beta8/hardcode-gk.yaml new file mode 100644 index 00000000000..7b0b4e757d5 --- /dev/null +++ b/changelog/v1.21.0-beta8/hardcode-gk.yaml @@ -0,0 +1,7 @@ +changelog: +- type: NON_USER_FACING + issueLink: https://github.com/solo-io/solo-projects/issues/8681 + resolvesIssue: false + description: >- + No longer rely on the GVK of the source object to determine the resource kind of the source in AppendSourceToVirtualHost and AppendSourceToListener, + just use the known GVKs. This is because a change in controller-runtime caused the GVK of the source object to be empty. \ No newline at end of file diff --git a/changelog/v1.21.0-beta9/fix-gk.yaml b/changelog/v1.21.0-beta9/fix-gk.yaml new file mode 100644 index 00000000000..190e1eac0e2 --- /dev/null +++ b/changelog/v1.21.0-beta9/fix-gk.yaml @@ -0,0 +1,6 @@ +changelog: +- type: NON_USER_FACING + issueLink: https://github.com/solo-io/solo-projects/issues/8681 + resolvesIssue: false + description: >- + fix: don't assume source is listeneroption when appending source to listener in AppendSourceToListener \ No newline at end of file diff --git a/ci/cloudbuild/publish-artifacts.yaml b/ci/cloudbuild/publish-artifacts.yaml index 026d40af173..9f5821f5071 100644 --- a/ci/cloudbuild/publish-artifacts.yaml +++ b/ci/cloudbuild/publish-artifacts.yaml @@ -1,6 +1,6 @@ steps: -- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.13.2' +- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.14.0' id: 'prepare-workspace' args: - '--repo-name' @@ -59,7 +59,7 @@ steps: - '-c' - 'docker run --rm --privileged multiarch/qemu-user-static --reset -p yes -c yes' -- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2' +- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0' id: 'build-certgen-arm64-binary' args: - 'certgen-docker' @@ -68,7 +68,7 @@ steps: - 'GOARCH=arm64' # Run make targets to push docker images to quay.io -- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2' +- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0' id: 'publish-docker' args: - 'publish-docker' @@ -76,6 +76,7 @@ steps: env: - 'MULTIARCH=true' - 'MULTIARCH_PUSH=true' + - 'DOCKER_API_VERSION=1.41' secretEnv: - 'GITHUB_TOKEN' waitFor: @@ -94,7 +95,7 @@ steps: waitFor: - 'publish-docker' -- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2' +- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0' id: 'release-chart' dir: *dir args: @@ -109,7 +110,7 @@ steps: - 'gcr-auth' # Run make targets to build and push docker images to GCR -- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2' +- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0' id: 'publish-docker-extended-gcr' dir: *dir args: @@ -118,6 +119,7 @@ steps: - 'MULTIARCH=true' - 'MULTIARCH_PUSH=true' - 'IMAGE_REGISTRY=gcr.io/gloo-edge' + - 'DOCKER_API_VERSION=1.41' secretEnv: - 'GITHUB_TOKEN' waitFor: diff --git a/ci/cloudbuild/run-tests.yaml b/ci/cloudbuild/run-tests.yaml index 89cadcdb468..e77b5156a5f 100644 --- a/ci/cloudbuild/run-tests.yaml +++ b/ci/cloudbuild/run-tests.yaml @@ -1,6 +1,6 @@ steps: -- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.13.2' +- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.14.0' id: 'prepare-workspace' args: - '--repo-name' @@ -23,7 +23,7 @@ steps: cd /go/pkg gsutil cat gs://$PROJECT_ID-cache/gloo/gloo-mod.tar.gz | tar -xzf - || echo "untar mod cache failed; continuing because we can download deps as we need them" -- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2' +- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0' id: 'prepare-envoy' dir: *dir entrypoint: 'bash' @@ -77,8 +77,8 @@ steps: waitFor: - 'prepare-gcr-zone' -- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2' - id: 'prepare-test-tools' +- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0' + id: 'prepare-test-tools' dir: *dir args: - 'install-test-tools' @@ -88,7 +88,7 @@ steps: - 'prepare-gcr-zone' - 'prepare-test-credentials' -- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.13.2' +- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.14.0' id: 'run-tests' dir: *dir entrypoint: 'make' @@ -99,7 +99,7 @@ steps: secretEnv: - 'JWT_PRIVATE_KEY' -- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.13.2' +- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.14.0' id: 'run-e2e-tests' dir: *dir entrypoint: 'make' @@ -110,7 +110,7 @@ steps: secretEnv: - 'JWT_PRIVATE_KEY' -- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.13.2' +- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.14.0' id: 'run-hashicorp-e2e-tests' dir: *dir entrypoint: 'make' diff --git a/ci/kind/setup-kind.sh b/ci/kind/setup-kind.sh index 4eaa06a2c09..1318d1c707e 100755 --- a/ci/kind/setup-kind.sh +++ b/ci/kind/setup-kind.sh @@ -18,7 +18,7 @@ IMAGE_VARIANT="${IMAGE_VARIANT:-standard}" # If true, run extra steps to set up k8s gateway api conformance test environment CONFORMANCE="${CONFORMANCE:-false}" # The version of the k8s gateway api conformance tests to run. Requires CONFORMANCE=true -CONFORMANCE_VERSION="${CONFORMANCE_VERSION:-v1.3.0}" +CONFORMANCE_VERSION="${CONFORMANCE_VERSION:-v1.4.0}" # The channel of the k8s gateway api conformance tests to run. Requires CONFORMANCE=true CONFORMANCE_CHANNEL="${CONFORMANCE_CHANNEL:-"experimental"}" # The version of Cilium to install. @@ -80,12 +80,8 @@ fi make -s build-cli-local # 5. Apply the Kubernetes Gateway API CRDs -# Note, we're using kustomize to apply the CRDs from the k8s gateway api repo as -# kustomize supports remote GH URLs and provides more flexibility compared to -# alternatives like running a series of `kubectl apply -f ` commands. This -# approach is largely necessary since upstream hasn't adopted a helm chart for -# the CRDs yet, or won't be for the foreseeable future. -kubectl apply --kustomize "https://github.com/kubernetes-sigs/gateway-api/config/crd/$CONFORMANCE_CHANNEL?ref=$CONFORMANCE_VERSION" +# HACK: Use SSA to avoid the issue with the CRD annotations being too long. +kubectl apply --server-side -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/${CONFORMANCE_VERSION}/${CONFORMANCE_CHANNEL}-install.yaml" # 6. Conformance test setup if [[ $CONFORMANCE == "true" ]]; then diff --git a/ci/tools.go b/ci/tools.go index ff87af02780..32ac4d69a7e 100644 --- a/ci/tools.go +++ b/ci/tools.go @@ -21,10 +21,10 @@ import ( _ "github.com/ahmetb/gen-crd-api-reference-docs" _ "github.com/cratonica/2goarray" _ "github.com/envoyproxy/protoc-gen-validate" - _ "github.com/golang/mock/mockgen" _ "github.com/saiskee/gettercheck" _ "github.com/solo-io/protoc-gen-ext" _ "github.com/solo-io/protoc-gen-openapi" + _ "go.uber.org/mock/mockgen" _ "golang.org/x/tools/cmd/goimports" _ "k8s.io/code-generator" _ "sigs.k8s.io/controller-tools/cmd/controller-gen" diff --git a/cloudbuild-cache.yaml b/cloudbuild-cache.yaml index 58ee91cc254..1b2bf01e8bc 100644 --- a/cloudbuild-cache.yaml +++ b/cloudbuild-cache.yaml @@ -1,6 +1,6 @@ options: env: - - "_GO_VERSION=1.24.9" + - "_GO_VERSION=1.25.5" steps: - name: gcr.io/cloud-builders/gsutil diff --git a/docs/content/reference/api/envoy/api/v2/route/route.proto.sk.md b/docs/content/reference/api/envoy/api/v2/route/route.proto.sk.md index d3686d533be..a5e53837f06 100644 --- a/docs/content/reference/api/envoy/api/v2/route/route.proto.sk.md +++ b/docs/content/reference/api/envoy/api/v2/route/route.proto.sk.md @@ -61,7 +61,7 @@ weight: 5 --- -### VirtualHost +### VirtualHost {#virtualhost} The top level element in the routing configuration is a virtual host. Each virtual host has @@ -113,7 +113,7 @@ upstream cluster to route to or whether to perform a redirect. --- -### TlsRequirementType +### TlsRequirementType {#tlsrequirementtype} @@ -127,7 +127,7 @@ upstream cluster to route to or whether to perform a redirect. --- -### Route +### Route {#route} A route is both a specification of how to match a request as well as an indication of what to do @@ -176,7 +176,7 @@ next (e.g., redirect, forward, rewrite, etc.). --- -### WeightedCluster +### WeightedCluster {#weightedcluster} Compared to the `cluster (envoy_api_field_route.RouteAction.cluster)` field that specifies a @@ -203,7 +203,7 @@ weights. --- -### ClusterWeight +### ClusterWeight {#clusterweight} @@ -236,7 +236,7 @@ weights. --- -### RouteMatch +### RouteMatch {#routematch} @@ -269,7 +269,7 @@ weights. --- -### ConnectMatcher +### ConnectMatcher {#connectmatcher} @@ -284,7 +284,7 @@ weights. --- -### GrpcRouteMatchOptions +### GrpcRouteMatchOptions {#grpcroutematchoptions} @@ -299,7 +299,7 @@ weights. --- -### CorsPolicy +### CorsPolicy {#corspolicy} @@ -334,7 +334,7 @@ weights. --- -### RouteAction +### RouteAction {#routeaction} @@ -395,7 +395,7 @@ weights. --- -### RequestMirrorPolicy +### RequestMirrorPolicy {#requestmirrorpolicy} The router is capable of shadowing traffic from one cluster to another. The current @@ -423,7 +423,7 @@ useful for logging. For example, *cluster1* becomes *cluster1-shadow*. --- -### HashPolicy +### HashPolicy {#hashpolicy} Specifies the route's hashing policy if the upstream cluster uses a hashing `load balancer @@ -448,7 +448,7 @@ Specifies the route's hashing policy if the upstream cluster uses a hashing `loa --- -### Header +### Header {#header} @@ -465,7 +465,7 @@ Specifies the route's hashing policy if the upstream cluster uses a hashing `loa --- -### Cookie +### Cookie {#cookie} Envoy supports two types of cookie affinity: @@ -500,7 +500,7 @@ Envoy supports two types of cookie affinity: --- -### ConnectionProperties +### ConnectionProperties {#connectionproperties} @@ -517,7 +517,7 @@ Envoy supports two types of cookie affinity: --- -### UpgradeConfig +### UpgradeConfig {#upgradeconfig} Allows enabling and disabling upgrades on a per-route basis. @@ -542,7 +542,7 @@ but does not affect any custom filter chain specified there. --- -### ClusterNotFoundResponseCode +### ClusterNotFoundResponseCode {#clusternotfoundresponsecode} @@ -555,7 +555,7 @@ but does not affect any custom filter chain specified there. --- -### InternalRedirectAction +### InternalRedirectAction {#internalredirectaction} Configures `internal redirect (arch_overview_internal_redirects)` behavior. @@ -569,7 +569,7 @@ Configures `internal redirect (arch_overview_internal_redirects)` behavior. --- -### RetryPolicy +### RetryPolicy {#retrypolicy} HTTP retry `architecture overview (arch_overview_http_routing_retry)`. @@ -601,7 +601,7 @@ HTTP retry `architecture overview (arch_overview_http_routing_retry)`. --- -### RetryPriority +### RetryPriority {#retrypriority} @@ -622,7 +622,7 @@ HTTP retry `architecture overview (arch_overview_http_routing_retry)`. --- -### RetryHostPredicate +### RetryHostPredicate {#retryhostpredicate} @@ -643,7 +643,7 @@ HTTP retry `architecture overview (arch_overview_http_routing_retry)`. --- -### RetryBackOff +### RetryBackOff {#retrybackoff} @@ -662,7 +662,7 @@ HTTP retry `architecture overview (arch_overview_http_routing_retry)`. --- -### HedgePolicy +### HedgePolicy {#hedgepolicy} HTTP request hedging `architecture overview (arch_overview_http_routing_hedging)`. @@ -684,7 +684,7 @@ HTTP request hedging `architecture overview (arch_overview_http_routing_hedging) --- -### RedirectAction +### RedirectAction {#redirectaction} @@ -715,7 +715,7 @@ HTTP request hedging `architecture overview (arch_overview_http_routing_hedging) --- -### RedirectResponseCode +### RedirectResponseCode {#redirectresponsecode} @@ -731,7 +731,7 @@ HTTP request hedging `architecture overview (arch_overview_http_routing_hedging) --- -### DirectResponseAction +### DirectResponseAction {#directresponseaction} @@ -750,7 +750,7 @@ HTTP request hedging `architecture overview (arch_overview_http_routing_hedging) --- -### Decorator +### Decorator {#decorator} @@ -767,7 +767,7 @@ HTTP request hedging `architecture overview (arch_overview_http_routing_hedging) --- -### Tracing +### Tracing {#tracing} @@ -788,7 +788,7 @@ HTTP request hedging `architecture overview (arch_overview_http_routing_hedging) --- -### VirtualCluster +### VirtualCluster {#virtualcluster} A virtual cluster is a way of specifying a regex matching rule against @@ -825,7 +825,7 @@ Documentation for `virtual cluster statistics (config_http_filters_router_stats) --- -### RateLimit +### RateLimit {#ratelimit} Global rate limiting `architecture overview (arch_overview_rate_limit)`. @@ -847,7 +847,7 @@ Global rate limiting `architecture overview (arch_overview_rate_limit)`. --- -### Action +### Action {#action} @@ -874,7 +874,7 @@ Global rate limiting `architecture overview (arch_overview_rate_limit)`. --- -### SourceCluster +### SourceCluster {#sourcecluster} The following descriptor entry is appended to the descriptor: @@ -896,7 +896,7 @@ The following descriptor entry is appended to the descriptor: --- -### DestinationCluster +### DestinationCluster {#destinationcluster} The following descriptor entry is appended to the descriptor: @@ -927,7 +927,7 @@ settings: --- -### RequestHeaders +### RequestHeaders {#requestheaders} The following descriptor entry is appended when a header contains a key that matches the @@ -952,7 +952,7 @@ The following descriptor entry is appended when a header contains a key that mat --- -### RemoteAddress +### RemoteAddress {#remoteaddress} The following descriptor entry is appended to the descriptor and is populated using the @@ -973,7 +973,7 @@ trusted address from `x-forwarded-for (config_http_conn_man_headers_x-forwarded- --- -### GenericKey +### GenericKey {#generickey} The following descriptor entry is appended to the descriptor: @@ -995,7 +995,7 @@ The following descriptor entry is appended to the descriptor: --- -### HeaderValueMatch +### HeaderValueMatch {#headervaluematch} The following descriptor entry is appended to the descriptor: @@ -1021,7 +1021,7 @@ The following descriptor entry is appended to the descriptor: --- -### HeaderMatcher +### HeaderMatcher {#headermatcher} Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host* @@ -1070,7 +1070,7 @@ Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HT --- -### QueryParameterMatcher +### QueryParameterMatcher {#queryparametermatcher} Query parameter matching treats the query string of a request's :path header diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/external_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/external_options.proto.sk.md index 7a96bc296a0..9fc538c4ba8 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/external_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/external_options.proto.sk.md @@ -26,7 +26,7 @@ weight: 5 --- -### VirtualHostOption +### VirtualHostOption {#virtualhostoption} The **VirtualHostOption** holds `options` configuration for a VirtualHost. @@ -146,7 +146,7 @@ Notice how the order of VirtualHostOption delegations matters, and that the Virt --- -### RouteOption +### RouteOption {#routeoption} The **RouteOption** holds `options` configuration for a Route. @@ -268,7 +268,7 @@ Notice how the order of RouteOption delegations matters, and that the Route-leve --- -### ListenerOption +### ListenerOption {#listeneroption} @@ -291,7 +291,7 @@ Notice how the order of RouteOption delegations matters, and that the Route-leve --- -### HttpListenerOption +### HttpListenerOption {#httplisteneroption} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/gateway.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/gateway.proto.sk.md index 4fdebc2b1cc..b540bcc376f 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/gateway.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/gateway.proto.sk.md @@ -29,7 +29,7 @@ weight: 5 --- -### Gateway +### Gateway {#gateway} A Gateway describes a single Listener (bind address:port) @@ -70,7 +70,7 @@ and the routing configuration to upstreams that are reachable via a specific por --- -### TcpGateway +### TcpGateway {#tcpgateway} @@ -89,7 +89,7 @@ and the routing configuration to upstreams that are reachable via a specific por --- -### HybridGateway +### HybridGateway {#hybridgateway} @@ -110,7 +110,7 @@ and the routing configuration to upstreams that are reachable via a specific por --- -### DelegatedHttpGateway +### DelegatedHttpGateway {#delegatedhttpgateway} @@ -135,7 +135,7 @@ and the routing configuration to upstreams that are reachable via a specific por --- -### DelegatedTcpGateway +### DelegatedTcpGateway {#delegatedtcpgateway} @@ -154,7 +154,7 @@ and the routing configuration to upstreams that are reachable via a specific por --- -### MatchedGateway +### MatchedGateway {#matchedgateway} @@ -175,7 +175,7 @@ and the routing configuration to upstreams that are reachable via a specific por --- -### Matcher +### Matcher {#matcher} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/http_gateway.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/http_gateway.proto.sk.md index 76d8ea74f0c..0c6dc8adf59 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/http_gateway.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/http_gateway.proto.sk.md @@ -26,7 +26,7 @@ weight: 5 --- -### HttpGateway +### HttpGateway {#httpgateway} @@ -51,7 +51,7 @@ weight: 5 --- -### VirtualServiceSelectorExpressions +### VirtualServiceSelectorExpressions {#virtualserviceselectorexpressions} Expressions to define which virtual services to select @@ -74,7 +74,7 @@ expressions: --- -### Expression +### Expression {#expression} @@ -95,7 +95,7 @@ expressions: --- -### Operator +### Operator {#operator} Virtual Service Selector expression operator, while the set-based syntax differs from Kubernetes (kubernetes: `key: !mylabel`, gloo: `key: mylabel, operator: "!"` | kubernetes: `key: mylabel`, gloo: `key: mylabel, operator: exists`), the functionality remains the same. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_http_gateway.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_http_gateway.proto.sk.md index c1d8b0f61d1..1a88d6ec6c5 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_http_gateway.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_http_gateway.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [MatchableHttpGateway](#matchablehttpgateway) **Top-Level Resource** -- [Matcher](#matcher) +- [Matcher](#matcher-1) @@ -24,7 +24,7 @@ weight: 5 --- -### MatchableHttpGateway +### MatchableHttpGateway {#matchablehttpgateway} A MatchableHttpGateway describes a single FilterChain configured with: @@ -54,7 +54,7 @@ and FilterChain configuration (MatchableHttpGateway CR) --- -### Matcher +### Matcher {#matcher-1} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_tcp_gateway.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_tcp_gateway.proto.sk.md index efe502e4264..2c2d1da1187 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_tcp_gateway.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/matchable_tcp_gateway.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [MatchableTcpGateway](#matchabletcpgateway) **Top-Level Resource** -- [Matcher](#matcher) +- [Matcher](#matcher-2) @@ -24,7 +24,7 @@ weight: 5 --- -### MatchableTcpGateway +### MatchableTcpGateway {#matchabletcpgateway} A MatchableTcpGateway describes a single FilterChain configured with the TcpProxy network filter and a matcher. @@ -52,7 +52,7 @@ and FilterChain configuration (MatchableTcpGateway CR). --- -### Matcher +### Matcher {#matcher-2} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/route_table.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/route_table.proto.sk.md index aed08214e0e..8e895ad2bbb 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/route_table.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/route_table.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### RouteTable +### RouteTable {#routetable} The **RouteTable** is a child routing object for the Gloo Gateway. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk.md index bec339415cf..1133cb00850 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk.md @@ -12,13 +12,13 @@ weight: 5 - [VirtualService](#virtualservice) **Top-Level Resource** -- [VirtualHost](#virtualhost) -- [Route](#route) +- [VirtualHost](#virtualhost-1) +- [Route](#route-1) - [DelegateOptionsRefs](#delegateoptionsrefs) - [DelegateAction](#delegateaction) - [RouteTableSelector](#routetableselector) -- [Expression](#expression) -- [Operator](#operator) +- [Expression](#expression-1) +- [Operator](#operator-1) @@ -30,7 +30,7 @@ weight: 5 --- -### VirtualService +### VirtualService {#virtualservice} The **VirtualService** is the root routing object for the Gloo Gateway. @@ -145,7 +145,7 @@ constraints: --- -### VirtualHost +### VirtualHost {#virtualhost-1} Virtual Hosts serve an ordered list of routes for a set of domains. @@ -176,7 +176,7 @@ _Gateway_ Virtual Hosts can delegate their routes to `RouteTables`. --- -### Route +### Route {#route-1} A route specifies how to match a request and what action to take when the request is matched. @@ -220,7 +220,7 @@ top-level `RouteTable` resources. --- -### DelegateOptionsRefs +### DelegateOptionsRefs {#delegateoptionsrefs} @@ -237,7 +237,7 @@ top-level `RouteTable` resources. --- -### DelegateAction +### DelegateAction {#delegateaction} DelegateActions are used to delegate routing decisions to Route Tables. @@ -261,7 +261,7 @@ DelegateActions are used to delegate routing decisions to Route Tables. --- -### RouteTableSelector +### RouteTableSelector {#routetableselector} Select route tables for delegation by namespace, labels, or both. @@ -283,7 +283,7 @@ Select route tables for delegation by namespace, labels, or both. --- -### Expression +### Expression {#expression-1} @@ -304,7 +304,7 @@ Select route tables for delegation by namespace, labels, or both. --- -### Operator +### Operator {#operator-1} Route Table Selector expression operator, while the set-based syntax differs from Kubernetes (kubernetes: `key: !mylabel`, gloo: `key: mylabel, operator: "!"` | kubernetes: `key: mylabel`, gloo: `key: mylabel, operator: exists`), the functionality remains the same. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway2/api/v1alpha1/gateway_parameters.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway2/api/v1alpha1/gateway_parameters.md index 2ce9d71a357..8e3574be182 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway2/api/v1alpha1/gateway_parameters.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gateway2/api/v1alpha1/gateway_parameters.md @@ -340,6 +340,13 @@ Resource Types:
false + + fileKeyRef + object + +
+ + false resourceFieldRef object @@ -435,6 +442,56 @@ Resource Types: +### GatewayParameters.spec.kube.aiExtension.env[index].valueFrom.fileKeyRef +[↩ Parent](#gatewayparametersspeckubeaiextensionenvindexvaluefrom) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring +
+ 		true
pathstring +
+ 		true
volumeNamestring +
+ 		true
optionalboolean +
+
+ Default: false
+ 		false
+ + ### GatewayParameters.spec.kube.aiExtension.env[index].valueFrom.resourceFieldRef [↩ Parent](#gatewayparametersspeckubeaiextensionenvindexvaluefrom) @@ -1859,6 +1916,13 @@ Resource Types:
false + + restartPolicyRules + []object + +
+ + false securityContext object @@ -2004,6 +2068,13 @@ Resource Types:
false + + fileKeyRef + object + +
+ + false resourceFieldRef object @@ -2099,6 +2170,56 @@ Resource Types: +### GatewayParameters.spec.kube.istio.customSidecars[index].env[index].valueFrom.fileKeyRef +[↩ Parent](#gatewayparametersspeckubeistiocustomsidecarsindexenvindexvaluefrom) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring +
+ 		true
pathstring +
+ 		true
volumeNamestring +
+ 		true
optionalboolean +
+
+ Default: false
+ 		false
+ + ### GatewayParameters.spec.kube.istio.customSidecars[index].env[index].valueFrom.resourceFieldRef [↩ Parent](#gatewayparametersspeckubeistiocustomsidecarsindexenvindexvaluefrom) @@ -3541,6 +3662,74 @@ Resource Types: +### GatewayParameters.spec.kube.istio.customSidecars[index].restartPolicyRules[index] +[↩ Parent](#gatewayparametersspeckubeistiocustomsidecarsindex) + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
actionstring +
+ 		true
exitCodesobject +
+ 		false
+ + +### GatewayParameters.spec.kube.istio.customSidecars[index].restartPolicyRules[index].exitCodes +[↩ Parent](#gatewayparametersspeckubeistiocustomsidecarsindexrestartpolicyrulesindex) + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
operatorstring +
+ 		true
values[]integer +
+ 		false
+ + ### GatewayParameters.spec.kube.istio.customSidecars[index].securityContext [↩ Parent](#gatewayparametersspeckubeistiocustomsidecarsindex) diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/debug/proxy_endpoint.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/debug/proxy_endpoint.proto.sk.md index 20ed39a550e..a4b15fee756 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/debug/proxy_endpoint.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/debug/proxy_endpoint.proto.sk.md @@ -24,7 +24,7 @@ weight: 5 --- -### ProxyEndpointRequest +### ProxyEndpointRequest {#proxyendpointrequest} @@ -47,7 +47,7 @@ weight: 5 --- -### ProxyEndpointResponse +### ProxyEndpointResponse {#proxyendpointresponse} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/validation/gloo_validation.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/validation/gloo_validation.proto.sk.md index 45a4f920ddc..bbf74e69c47 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/validation/gloo_validation.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/validation/gloo_validation.proto.sk.md @@ -22,32 +22,32 @@ weight: 5 - [ProxyReport](#proxyreport) - [ListenerReport](#listenerreport) - [Error](#error) -- [Type](#type) +- [Type](#type-1) - [Warning](#warning) -- [Type](#type) +- [Type](#type-2) - [HttpListenerReport](#httplistenerreport) -- [Error](#error) -- [Type](#type) -- [Warning](#warning) -- [Type](#type) +- [Error](#error-1) +- [Type](#type-3) +- [Warning](#warning-1) +- [Type](#type-4) - [VirtualHostReport](#virtualhostreport) -- [Error](#error) -- [Type](#type) +- [Error](#error-2) +- [Type](#type-5) - [RouteReport](#routereport) -- [Error](#error) -- [Type](#type) -- [Warning](#warning) -- [Type](#type) +- [Error](#error-3) +- [Type](#type-6) +- [Warning](#warning-2) +- [Type](#type-7) - [TcpListenerReport](#tcplistenerreport) -- [Error](#error) -- [Type](#type) -- [Warning](#warning) -- [Type](#type) +- [Error](#error-4) +- [Type](#type-8) +- [Warning](#warning-3) +- [Type](#type-9) - [TcpHostReport](#tcphostreport) -- [Error](#error) -- [Type](#type) -- [Warning](#warning) -- [Type](#type) +- [Error](#error-5) +- [Type](#type-10) +- [Warning](#warning-4) +- [Type](#type-11) - [HybridListenerReport](#hybridlistenerreport) - [MatchedListenerReport](#matchedlistenerreport) - [AggregateListenerReport](#aggregatelistenerreport) @@ -62,7 +62,7 @@ weight: 5 --- -### GlooValidationServiceRequest +### GlooValidationServiceRequest {#gloovalidationservicerequest} @@ -83,7 +83,7 @@ weight: 5 --- -### GlooValidationServiceResponse +### GlooValidationServiceResponse {#gloovalidationserviceresponse} @@ -100,7 +100,7 @@ weight: 5 --- -### ModifiedResources +### ModifiedResources {#modifiedresources} @@ -117,7 +117,7 @@ weight: 5 --- -### DeletedResources +### DeletedResources {#deletedresources} @@ -136,7 +136,7 @@ weight: 5 --- -### ValidationReport +### ValidationReport {#validationreport} A validation report represents the warnings and errors that produced during @@ -159,7 +159,7 @@ a single translation loop of a proxy. --- -### ResourceReport +### ResourceReport {#resourcereport} @@ -180,7 +180,7 @@ a single translation loop of a proxy. --- -### NotifyOnResyncRequest +### NotifyOnResyncRequest {#notifyonresyncrequest} @@ -195,7 +195,7 @@ a single translation loop of a proxy. --- -### NotifyOnResyncResponse +### NotifyOnResyncResponse {#notifyonresyncresponse} @@ -210,7 +210,7 @@ a single translation loop of a proxy. --- -### ProxyReport +### ProxyReport {#proxyreport} The Proxy Report should contain one report for each sub-resource of the Proxy @@ -232,7 +232,7 @@ If the report contains no errors, the (sub-)resource is valid. --- -### ListenerReport +### ListenerReport {#listenerreport} @@ -259,7 +259,7 @@ If the report contains no errors, the (sub-)resource is valid. --- -### Error +### Error {#error} error types for top-level listener config @@ -281,7 +281,7 @@ error types for top-level listener config --- -### Type +### Type {#type-1} @@ -296,7 +296,7 @@ error types for top-level listener config --- -### Warning +### Warning {#warning} warning types for the given listener config @@ -316,7 +316,7 @@ warning types for the given listener config --- -### Type +### Type {#type-2} @@ -328,7 +328,7 @@ warning types for the given listener config --- -### HttpListenerReport +### HttpListenerReport {#httplistenerreport} @@ -349,7 +349,7 @@ warning types for the given listener config --- -### Error +### Error {#error-1} error types for top-level http listener config @@ -371,7 +371,7 @@ error types for top-level http listener config --- -### Type +### Type {#type-3} @@ -383,7 +383,7 @@ error types for top-level http listener config --- -### Warning +### Warning {#warning-1} warning types for the given listener @@ -403,7 +403,7 @@ warning types for the given listener --- -### Type +### Type {#type-4} @@ -416,7 +416,7 @@ warning types for the given listener --- -### VirtualHostReport +### VirtualHostReport {#virtualhostreport} @@ -435,7 +435,7 @@ warning types for the given listener --- -### Error +### Error {#error-2} error types for top-level virtual host config @@ -457,7 +457,7 @@ error types for top-level virtual host config --- -### Type +### Type {#type-5} @@ -472,7 +472,7 @@ error types for top-level virtual host config --- -### RouteReport +### RouteReport {#routereport} @@ -491,7 +491,7 @@ error types for top-level virtual host config --- -### Error +### Error {#error-3} error types for the given route config @@ -513,7 +513,7 @@ error types for the given route config --- -### Type +### Type {#type-6} @@ -526,7 +526,7 @@ error types for the given route config --- -### Warning +### Warning {#warning-2} warning types for the given route config @@ -546,7 +546,7 @@ warning types for the given route config --- -### Type +### Type {#type-7} @@ -558,7 +558,7 @@ warning types for the given route config --- -### TcpListenerReport +### TcpListenerReport {#tcplistenerreport} @@ -579,7 +579,7 @@ warning types for the given route config --- -### Error +### Error {#error-4} error types for top-level tcp listener config @@ -599,7 +599,7 @@ error types for top-level tcp listener config --- -### Type +### Type {#type-8} @@ -614,7 +614,7 @@ error types for top-level tcp listener config --- -### Warning +### Warning {#warning-3} warning types for the given listener @@ -634,7 +634,7 @@ warning types for the given listener --- -### Type +### Type {#type-9} @@ -647,7 +647,7 @@ warning types for the given listener --- -### TcpHostReport +### TcpHostReport {#tcphostreport} @@ -666,7 +666,7 @@ warning types for the given listener --- -### Error +### Error {#error-5} error types for tcp host config @@ -686,7 +686,7 @@ error types for tcp host config --- -### Type +### Type {#type-10} @@ -700,7 +700,7 @@ error types for tcp host config --- -### Warning +### Warning {#warning-4} warning types for the given tcp host config @@ -720,7 +720,7 @@ warning types for the given tcp host config --- -### Type +### Type {#type-11} @@ -733,7 +733,7 @@ warning types for the given tcp host config --- -### HybridListenerReport +### HybridListenerReport {#hybridlistenerreport} @@ -750,7 +750,7 @@ warning types for the given tcp host config --- -### MatchedListenerReport +### MatchedListenerReport {#matchedlistenerreport} @@ -769,7 +769,7 @@ warning types for the given tcp host config --- -### AggregateListenerReport +### AggregateListenerReport {#aggregatelistenerreport} the report for an AggregateListener diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/version/version.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/version/version.proto.sk.md index e53a05bb2ee..33839266a50 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/version/version.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/grpc/version/version.proto.sk.md @@ -16,7 +16,7 @@ weight: 5 - [Container](#container) - [ClientVersion](#clientversion) - [KubernetesClusterVersion](#kubernetesclusterversion) -- [Version](#version) +- [Version](#version-1) @@ -35,7 +35,7 @@ weight: 5 --- -### ServerVersion +### ServerVersion {#serverversion} @@ -56,7 +56,7 @@ weight: 5 --- -### Kubernetes +### Kubernetes {#kubernetes} @@ -75,7 +75,7 @@ weight: 5 --- -### Container +### Container {#container} @@ -98,7 +98,7 @@ weight: 5 --- -### ClientVersion +### ClientVersion {#clientversion} @@ -115,7 +115,7 @@ weight: 5 --- -### KubernetesClusterVersion +### KubernetesClusterVersion {#kubernetesclusterversion} @@ -140,7 +140,7 @@ weight: 5 --- -### Version +### Version {#version-1} @@ -160,7 +160,7 @@ weight: 5 -### GlooType +### GlooType {#glootype} Description: type of gloo server instance diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/artifact.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/artifact.proto.sk.md index ecda18c9701..d78191f1140 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/artifact.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/artifact.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### Artifact +### Artifact {#artifact} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/circuit_breaker/circuit_breaker.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/circuit_breaker/circuit_breaker.proto.sk.md index c29db57394d..600f7ebb610 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/circuit_breaker/circuit_breaker.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/circuit_breaker/circuit_breaker.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### CircuitBreakerConfig +### CircuitBreakerConfig {#circuitbreakerconfig} CircuitBreakerConfig contains the options for customizing circuit breaking behavior. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/connection.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/connection.proto.sk.md index c53c2a768d6..524d199cb34 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/connection.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/connection.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [ConnectionConfig](#connectionconfig) -- [TcpKeepAlive](#tcpkeepalive) +- [TcpKeepAlive](#tcpkeepalive-1) @@ -24,7 +24,7 @@ weight: 5 --- -### ConnectionConfig +### ConnectionConfig {#connectionconfig} Fine tune the settings for connections to an upstream @@ -52,7 +52,7 @@ Fine tune the settings for connections to an upstream --- -### TcpKeepAlive +### TcpKeepAlive {#tcpkeepalive-1} If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/matchers/matchers.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/matchers/matchers.proto.sk.md index dfbd7954e68..8f51cac9806 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/matchers/matchers.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/matchers/matchers.proto.sk.md @@ -11,10 +11,10 @@ weight: 5 **Types:** -- [Matcher](#matcher) -- [ConnectMatcher](#connectmatcher) -- [HeaderMatcher](#headermatcher) -- [QueryParameterMatcher](#queryparametermatcher) +- [Matcher](#matcher-4) +- [ConnectMatcher](#connectmatcher-2) +- [HeaderMatcher](#headermatcher-2) +- [QueryParameterMatcher](#queryparametermatcher-2) @@ -26,7 +26,7 @@ weight: 5 --- -### Matcher +### Matcher {#matcher-4} Parameters for matching routes to requests received by a Gloo-managed proxy @@ -58,7 +58,7 @@ Parameters for matching routes to requests received by a Gloo-managed proxy --- -### ConnectMatcher +### ConnectMatcher {#connectmatcher-2} @@ -73,7 +73,7 @@ Parameters for matching routes to requests received by a Gloo-managed proxy --- -### HeaderMatcher +### HeaderMatcher {#headermatcher-2} Internally, Gloo always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host* header. @@ -98,7 +98,7 @@ Thus, if attempting to match on *Host*, match on *:authority* instead. --- -### QueryParameterMatcher +### QueryParameterMatcher {#queryparametermatcher-2} Query parameter matching treats the query string of a request's :path header diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/selectors/selectors.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/selectors/selectors.proto.sk.md index b706731fafd..199321ceee9 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/selectors/selectors.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/core/selectors/selectors.proto.sk.md @@ -12,8 +12,8 @@ weight: 5 - [Selector](#selector) -- [Expression](#expression) -- [Operator](#operator) +- [Expression](#expression-2) +- [Operator](#operator-2) @@ -25,7 +25,7 @@ weight: 5 --- -### Selector +### Selector {#selector} @@ -46,7 +46,7 @@ weight: 5 --- -### Expression +### Expression {#expression-2} @@ -67,7 +67,7 @@ weight: 5 --- -### Operator +### Operator {#operator-2} Selector expression operator, while the set-based syntax differs from Kubernetes (kubernetes: `key: !mylabel`, gloo: `key: mylabel, operator: "!"` | kubernetes: `key: mylabel`, gloo: `key: mylabel, operator: exists`), the functionality remains the same. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/destination_spec.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/destination_spec.proto.sk.md index 365400b979e..5ba50ebcfcc 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/destination_spec.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/destination_spec.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### DestinationSpec +### DestinationSpec {#destinationspec} Configuration for Destinations that are tied to the UpstreamSpec or ServiceSpec on that destination diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/endpoint.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/endpoint.proto.sk.md index 1a403f66527..1607b454078 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/endpoint.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/endpoint.proto.sk.md @@ -24,7 +24,7 @@ weight: 5 --- -### Endpoint +### Endpoint {#endpoint} Endpoints represent dynamically discovered address/ports where an upstream service is listening @@ -52,7 +52,7 @@ Endpoints represent dynamically discovered address/ports where an upstream servi --- -### HealthCheckConfig +### HealthCheckConfig {#healthcheckconfig} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ai/ai.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ai/ai.proto.sk.md index e67a8c8d335..84f450557fd 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ai/ai.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ai/ai.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [SingleAuthToken](#singleauthtoken) -- [Passthrough](#passthrough) +- [Passthrough](#passthrough-1) - [UpstreamSpec](#upstreamspec) - [PathOverride](#pathoverride) - [CustomHost](#customhost) @@ -31,31 +31,31 @@ weight: 5 - [Priority](#priority) - [RouteSettings](#routesettings) - [RouteType](#routetype) -- [FieldDefault](#fielddefault) +- [FieldDefault](#fielddefault-1) - [Postgres](#postgres) - [Embedding](#embedding) -- [OpenAI](#openai) -- [AzureOpenAI](#azureopenai) +- [OpenAI](#openai-1) +- [AzureOpenAI](#azureopenai-1) - [SemanticCache](#semanticcache) - [Redis](#redis) - [Weaviate](#weaviate) - [DataStore](#datastore) -- [Mode](#mode) +- [Mode](#mode-1) - [RAG](#rag) -- [DataStore](#datastore) +- [DataStore](#datastore-1) - [AIPromptEnrichment](#aipromptenrichment) -- [Message](#message) +- [Message](#message-1) - [AIPromptGuard](#aipromptguard) - [Regex](#regex) - [RegexMatch](#regexmatch) - [BuiltIn](#builtin) -- [Action](#action) +- [Action](#action-3) - [Webhook](#webhook) - [HeaderMatch](#headermatch) - [MatchType](#matchtype) - [Moderation](#moderation) -- [OpenAI](#openai) -- [Request](#request) +- [OpenAI](#openai-2) +- [Request](#request-1) - [CustomResponse](#customresponse) - [Response](#response) @@ -76,7 +76,7 @@ weight: 5 --- -### SingleAuthToken +### SingleAuthToken {#singleauthtoken} The authorization token that the AI gateway uses to access the LLM provider API. @@ -102,7 +102,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Passthrough +### Passthrough {#passthrough-1} Configuration for passthrough of the existing token. @@ -123,7 +123,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec} When you deploy the Gloo AI Gateway, you can use the `spec.ai` section of the Upstream resource @@ -169,7 +169,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### PathOverride +### PathOverride {#pathoverride} Override the path used to send requests to the LLM provider. For example, you might need to go through a proxy @@ -190,7 +190,7 @@ and, as such, have a different path than the default for the LLM provider. --- -### CustomHost +### CustomHost {#customhost} Send requests to a custom host and port, such as to proxy the request and customize the chat completion path, @@ -218,7 +218,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### OpenAI +### OpenAI {#openai} Settings for the [OpenAI](https://platform.openai.com/docs/overview) LLM provider. @@ -243,7 +243,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### AzureOpenAI +### AzureOpenAI {#azureopenai} Settings for the [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/) LLM provider. @@ -274,7 +274,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Gemini +### Gemini {#gemini} Settings for the [Gemini](https://ai.google.dev/gemini-api/docs) LLM provider. @@ -303,7 +303,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### VertexAI +### VertexAI {#vertexai} Settings for the [Vertex AI](https://cloud.google.com/vertex-ai/docs) LLM provider. @@ -342,7 +342,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Publisher +### Publisher {#publisher} The type of publisher model to use. Currently, only Google is supported. @@ -358,7 +358,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Mistral +### Mistral {#mistral} Settings for the [Mistral AI](https://docs.mistral.ai/getting-started/quickstart/) LLM provider. @@ -383,7 +383,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Anthropic +### Anthropic {#anthropic} Settings for the [Anthropic](https://docs.anthropic.com/en/release-notes/api) LLM provider. @@ -410,7 +410,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Bedrock +### Bedrock {#bedrock} Settings for the Bedrock LLM provider @@ -437,7 +437,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### AwsCredentialProvider +### AwsCredentialProvider {#awscredentialprovider} AwsCredentialProvider provider for signing the request. @@ -460,7 +460,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### AWSInline +### AWSInline {#awsinline} Configuration to use an inline AWS credential. This is an equivalent to setting the well-known @@ -486,7 +486,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### MultiPool +### MultiPool {#multipool} Configure backends for multiple hosts or models from the same provider in one Upstream resource. @@ -537,7 +537,7 @@ multi: --- -### Backend +### Backend {#backend} An entry represeting an LLM provider backend that the AI Gateway routes requests to. @@ -570,7 +570,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Priority +### Priority {#priority} The order of `pool` entries within this section defines the priority of the backend endpoints. @@ -591,7 +591,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### RouteSettings +### RouteSettings {#routesettings} When you deploy the Gloo AI Gateway, you can use the `spec.options.ai` section @@ -629,7 +629,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### RouteType +### RouteType {#routetype} The type of route to the LLM provider API. @@ -646,7 +646,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### FieldDefault +### FieldDefault {#fielddefault-1} Provide defaults to merge with user input fields. @@ -690,7 +690,7 @@ defaults: --- -### Postgres +### Postgres {#postgres} Configuration settings for a Postgres datastore. @@ -713,7 +713,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Embedding +### Embedding {#embedding} Configuration of the API used to generate the embedding. @@ -736,7 +736,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### OpenAI +### OpenAI {#openai-1} Embedding settings for the OpenAI provider. @@ -757,7 +757,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### AzureOpenAI +### AzureOpenAI {#azureopenai-1} Embedding settings for the Azure OpenAI provider. @@ -784,7 +784,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### SemanticCache +### SemanticCache {#semanticcache} Cache previous model responses to provide faster responses to similar requests in the future. @@ -831,7 +831,7 @@ semanticCache: --- -### Redis +### Redis {#redis} Settings for a Redis database. @@ -854,7 +854,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Weaviate +### Weaviate {#weaviate} Settings for a Weaviate database. @@ -881,7 +881,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### DataStore +### DataStore {#datastore} Data store from which to cache the request and response pairs. @@ -904,7 +904,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Mode +### Mode {#mode-1} The caching mode to use for the request and response lifecycle. @@ -921,7 +921,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### RAG +### RAG {#rag} [Retrieval augmented generation (RAG)](https://research.ibm.com/blog/retrieval-augmented-generation-RAG) @@ -975,7 +975,7 @@ check out the [Retrieval augmented generation (RAG) tutorial](https://docs.solo. --- -### DataStore +### DataStore {#datastore-1} {{% notice note %}} @@ -995,7 +995,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### AIPromptEnrichment +### AIPromptEnrichment {#aipromptenrichment} Enrich requests sent to the LLM provider by appending and prepending system prompts. @@ -1050,7 +1050,7 @@ spec: --- -### Message +### Message {#message-1} An entry for a message to prepend or append to each prompt. @@ -1073,7 +1073,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### AIPromptGuard +### AIPromptGuard {#aipromptguard} Set up prompt guards to block unwanted requests to the LLM provider and mask sensitive data. @@ -1117,7 +1117,7 @@ promptGuard: --- -### Regex +### Regex {#regex} Regular expression (regex) matching for prompt guards and data masking. @@ -1142,7 +1142,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### RegexMatch +### RegexMatch {#regexmatch} Regular expression (regex) matching for prompt guards and data masking. @@ -1165,7 +1165,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### BuiltIn +### BuiltIn {#builtin} Built-in regex patterns for specific types of strings in prompts. @@ -1186,7 +1186,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Action +### Action {#action-3} The action to take if a regex pattern is matched in a request or response. @@ -1204,7 +1204,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Webhook +### Webhook {#webhook} Configure a webhook to forward requests or responses to for prompt guarding. @@ -1229,7 +1229,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### HeaderMatch +### HeaderMatch {#headermatch} Describes how to match a given string in HTTP headers. Match is case-sensitive. @@ -1252,7 +1252,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### MatchType +### MatchType {#matchtype} The header string match type. @@ -1272,7 +1272,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Moderation +### Moderation {#moderation} Pass prompt data through an external moderation model endpoint, @@ -1300,7 +1300,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### OpenAI +### OpenAI {#openai-2} Configure an OpenAI moderation endpoint. @@ -1323,7 +1323,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Request +### Request {#request-1} Prompt guards to apply to requests sent by the client. @@ -1350,7 +1350,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### CustomResponse +### CustomResponse {#customresponse} A custom response to return to the client if request content @@ -1374,7 +1374,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// --- -### Response +### Response {#response} Prompt guards to apply to responses returned by the LLM provider. @@ -1396,7 +1396,7 @@ The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https:// -### ApiJsonSchema +### ApiJsonSchema {#apijsonschema} Description: {{% notice note %}} The AI API is supported only in [Gloo Gateway (Kubernetes Gateway API)](https://docs.solo.io/gateway/main/ai/). It is not supported with the Gloo Edge API. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/caching/caching.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/caching/caching.proto.sk.md index e75f38a113f..4163588aed3 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/caching/caching.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/caching/caching.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### Settings +### Settings {#settings} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/dlp/dlp.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/dlp/dlp.proto.sk.md index d26f75824f5..f37f2b26289 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/dlp/dlp.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/dlp/dlp.proto.sk.md @@ -15,8 +15,8 @@ weight: 5 - [EnableFor](#enablefor) - [DlpRule](#dlprule) - [Config](#config) -- [EnableFor](#enablefor) -- [Action](#action) +- [EnableFor](#enablefor-1) +- [Action](#action-4) - [ActionType](#actiontype) - [CustomAction](#customaction) - [KeyValueAction](#keyvalueaction) @@ -31,7 +31,7 @@ weight: 5 --- -### FilterConfig +### FilterConfig {#filterconfig} Listener level config for dlp filter @@ -51,7 +51,7 @@ Listener level config for dlp filter --- -### EnableFor +### EnableFor {#enablefor} @@ -65,7 +65,7 @@ Listener level config for dlp filter --- -### DlpRule +### DlpRule {#dlprule} Rule which applies a given set of actions to a matching route. @@ -86,7 +86,7 @@ The route matching functions exactly the same as the envoy routes in the virtual --- -### Config +### Config {#config} Route/Vhost level config for dlp filter @@ -109,7 +109,7 @@ listener level config. --- -### EnableFor +### EnableFor {#enablefor-1} @@ -123,7 +123,7 @@ listener level config. --- -### Action +### Action {#action-4} A single action meant to mask sensitive data. @@ -170,7 +170,7 @@ percent: 60 --- -### ActionType +### ActionType {#actiontype} The following pre-made action types map to subgroup 1 of the listed regex patterns: @@ -230,7 +230,7 @@ ALL_CREDIT_CARDS_COMBINED: --- -### CustomAction +### CustomAction {#customaction} A user defined custom action to carry out on the response body. @@ -276,7 +276,7 @@ If the mask_char, and percent were left to default, the result would be: --- -### KeyValueAction +### KeyValueAction {#keyvalueaction} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md index 15cb9af6a41..a90f9b4e3a3 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth-internal.proto.sk.md @@ -13,7 +13,7 @@ weight: 5 - [ExtAuthConfig](#extauthconfig) - [Azure](#azure) -- [ClaimToHeader](#claimtoheader) +- [ClaimToHeader](#claimtoheader-1) - [BasicAuthInternal](#basicauthinternal) - [EncryptionType](#encryptiontype) - [Sha1](#sha1) @@ -31,11 +31,11 @@ weight: 5 - [FrontChannelLogout](#frontchannellogout) - [AccessTokenValidationConfig](#accesstokenvalidationconfig) - [JwtValidation](#jwtvalidation) -- [RemoteJwks](#remotejwks) +- [RemoteJwks](#remotejwks-1) - [LocalJwks](#localjwks) - [IntrospectionValidation](#introspectionvalidation) - [ScopeList](#scopelist) -- [Default](#default) +- [Default](#default-1) - [PlainOAuth2Config](#plainoauth2config) - [OAuth2Config](#oauth2config) - [ApiKeyAuthConfig](#apikeyauthconfig) @@ -49,7 +49,7 @@ weight: 5 - [InMemorySecretList](#inmemorysecretlist) - [PassthroughAuthInternalConfig](#passthroughauthinternalconfig) - [PassthroughAuthTlsConfigData](#passthroughauthtlsconfigdata) -- [Config](#config) +- [Config](#config-1) - [ApiKeyCreateRequest](#apikeycreaterequest) - [ApiKeyCreateResponse](#apikeycreateresponse) - [ApiKeyReadRequest](#apikeyreadrequest) @@ -69,7 +69,7 @@ weight: 5 --- -### ExtAuthConfig +### ExtAuthConfig {#extauthconfig} @@ -95,7 +95,7 @@ rules about breaking changes still apply to ensure we do not get errors during u --- -### Azure +### Azure {#azure} For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider. @@ -120,7 +120,7 @@ This way, you can enable distributed claims and caching for when users are membe --- -### ClaimToHeader +### ClaimToHeader {#claimtoheader-1} Map a single claim from an OAuth2 or OIDC token to a header in the request to the upstream destination. @@ -142,7 +142,7 @@ Map a single claim from an OAuth2 or OIDC token to a header in the request to th --- -### BasicAuthInternal +### BasicAuthInternal {#basicauthinternal} Message to store Basic Auth Configuration. @@ -166,7 +166,7 @@ If only the legacy "apr" field is defined, the existing public BasicAuth configu --- -### EncryptionType +### EncryptionType {#encryptiontype} Selection of hashing algorithms to use for password hashing. @@ -186,7 +186,7 @@ Selection of hashing algorithms to use for password hashing. --- -### Sha1 +### Sha1 {#sha1} @@ -201,7 +201,7 @@ Selection of hashing algorithms to use for password hashing. --- -### Apr +### Apr {#apr} @@ -216,7 +216,7 @@ Selection of hashing algorithms to use for password hashing. --- -### User +### User {#user} To authenticate a user we need the salt and hashed password. The username is expected to be the key in a map of Users. @@ -236,7 +236,7 @@ To authenticate a user we need the salt and hashed password. The username is exp --- -### UserList +### UserList {#userlist} Map of valid usernames to stored credentials @@ -254,7 +254,7 @@ Map of valid usernames to stored credentials --- -### OAuthConfig +### OAuthConfig {#oauthconfig} Deprecated, prefer OAuth2Config @@ -284,7 +284,7 @@ Deprecated, prefer OAuth2Config --- -### UserSessionConfig +### UserSessionConfig {#usersessionconfig} @@ -309,7 +309,7 @@ Deprecated, prefer OAuth2Config --- -### CipherConfig +### CipherConfig {#cipherconfig} @@ -326,7 +326,7 @@ Deprecated, prefer OAuth2Config --- -### OidcAuthorizationCodeConfig +### OidcAuthorizationCodeConfig {#oidcauthorizationcodeconfig} @@ -395,7 +395,7 @@ Deprecated, prefer OAuth2Config --- -### PkJwtClientAuthenticationConfig +### PkJwtClientAuthenticationConfig {#pkjwtclientauthenticationconfig} Fields for private key JWT Client Authentication. @@ -415,7 +415,7 @@ Fields for private key JWT Client Authentication. --- -### AccessToken +### AccessToken {#accesstoken} Optional: Map a single claim from an OAuth2 access token to a header in the request to the upstream destination. @@ -433,7 +433,7 @@ Optional: Map a single claim from an OAuth2 access token to a header in the requ --- -### IdentityToken +### IdentityToken {#identitytoken} Optional: Map a single claim from an OIDC identity token to a header in the request to the upstream destination. @@ -451,7 +451,7 @@ Optional: Map a single claim from an OIDC identity token to a header in the requ --- -### Default +### Default {#default} No-op, represents default OIDC behavior @@ -467,7 +467,7 @@ No-op, represents default OIDC behavior --- -### FrontChannelLogout +### FrontChannelLogout {#frontchannellogout} For the moment this is just path, but we may want to configure things like iss/sid validation @@ -485,7 +485,7 @@ For the moment this is just path, but we may want to configure things like iss/s --- -### AccessTokenValidationConfig +### AccessTokenValidationConfig {#accesstokenvalidationconfig} @@ -520,7 +520,7 @@ For the moment this is just path, but we may want to configure things like iss/s --- -### JwtValidation +### JwtValidation {#jwtvalidation} Defines how JSON Web Token (JWT) access tokens are validated. @@ -559,7 +559,7 @@ If the JWT has been successfully validated, its set of claims will be added to t --- -### RemoteJwks +### RemoteJwks {#remotejwks-1} Specifies how to fetch JWKS from remote and how to cache it. @@ -579,7 +579,7 @@ Specifies how to fetch JWKS from remote and how to cache it. --- -### LocalJwks +### LocalJwks {#localjwks} Represents a locally available JWKS. @@ -597,7 +597,7 @@ Represents a locally available JWKS. --- -### IntrospectionValidation +### IntrospectionValidation {#introspectionvalidation} Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated @@ -626,7 +626,7 @@ These values will be encoded in a basic auth header in order to authenticate the --- -### ScopeList +### ScopeList {#scopelist} @@ -643,7 +643,7 @@ These values will be encoded in a basic auth header in order to authenticate the --- -### Default +### Default {#default-1} No-op, represents default OIDC behavior @@ -659,7 +659,7 @@ No-op, represents default OIDC behavior --- -### PlainOAuth2Config +### PlainOAuth2Config {#plainoauth2config} @@ -702,7 +702,7 @@ No-op, represents default OIDC behavior --- -### OAuth2Config +### OAuth2Config {#oauth2config} @@ -723,7 +723,7 @@ No-op, represents default OIDC behavior --- -### ApiKeyAuthConfig +### ApiKeyAuthConfig {#apikeyauthconfig} **NOTE: This configuration is not user-facing and will be auto generated** @@ -753,7 +753,7 @@ No-op, represents default OIDC behavior --- -### KeyMetadata +### KeyMetadata {#keymetadata} @@ -772,7 +772,7 @@ No-op, represents default OIDC behavior --- -### OpaAuthConfig +### OpaAuthConfig {#opaauthconfig} @@ -793,7 +793,7 @@ No-op, represents default OIDC behavior --- -### OpaServerAuthConfig +### OpaServerAuthConfig {#opaserverauthconfig} Configure the Gloo external auth server to use your own Open Policy Agent (OPA) server. @@ -818,7 +818,7 @@ This way, you can use extra capabilities such as bundling or caching. --- -### LdapConfig +### LdapConfig {#ldapconfig} @@ -849,7 +849,7 @@ This way, you can use extra capabilities such as bundling or caching. --- -### LdapServiceAccountConfig +### LdapServiceAccountConfig {#ldapserviceaccountconfig} @@ -870,7 +870,7 @@ This way, you can use extra capabilities such as bundling or caching. --- -### HmacAuthConfig +### HmacAuthConfig {#hmacauthconfig} @@ -889,7 +889,7 @@ This way, you can use extra capabilities such as bundling or caching. --- -### PortalAuthConfig +### PortalAuthConfig {#portalauthconfig} This API is only supported for Gloo Gateway Portal. @@ -915,7 +915,7 @@ This API is only supported for Gloo Gateway Portal. --- -### InMemorySecretList +### InMemorySecretList {#inmemorysecretlist} @@ -932,7 +932,7 @@ This API is only supported for Gloo Gateway Portal. --- -### PassthroughAuthInternalConfig +### PassthroughAuthInternalConfig {#passthroughauthinternalconfig} @@ -951,7 +951,7 @@ This API is only supported for Gloo Gateway Portal. --- -### PassthroughAuthTlsConfigData +### PassthroughAuthTlsConfigData {#passthroughauthtlsconfigdata} PassthroughAuthTlsConfigData defines the internal structure used to configure @@ -985,7 +985,7 @@ and advanced configuration support. --- -### Config +### Config {#config-1} @@ -1032,7 +1032,7 @@ and advanced configuration support. --- -### ApiKeyCreateRequest +### ApiKeyCreateRequest {#apikeycreaterequest} @@ -1051,7 +1051,7 @@ and advanced configuration support. --- -### ApiKeyCreateResponse +### ApiKeyCreateResponse {#apikeycreateresponse} @@ -1068,7 +1068,7 @@ and advanced configuration support. --- -### ApiKeyReadRequest +### ApiKeyReadRequest {#apikeyreadrequest} @@ -1087,7 +1087,7 @@ and advanced configuration support. --- -### ApiKeyReadResponse +### ApiKeyReadResponse {#apikeyreadresponse} @@ -1104,7 +1104,7 @@ and advanced configuration support. --- -### ApiKeyUpdateRequest +### ApiKeyUpdateRequest {#apikeyupdaterequest} @@ -1125,7 +1125,7 @@ and advanced configuration support. --- -### ApiKeyUpdateResponse +### ApiKeyUpdateResponse {#apikeyupdateresponse} @@ -1142,7 +1142,7 @@ and advanced configuration support. --- -### ApiKeyDeleteRequest +### ApiKeyDeleteRequest {#apikeydeleterequest} @@ -1161,7 +1161,7 @@ and advanced configuration support. --- -### ApiKeyDeleteResponse +### ApiKeyDeleteResponse {#apikeydeleteresponse} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md index 5815c46c76d..6aabbdf931e 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md @@ -12,25 +12,25 @@ weight: 5 - [AuthConfig](#authconfig) **Top-Level Resource** -- [Config](#config) +- [Config](#config-2) - [ExtAuthExtension](#extauthextension) -- [Settings](#settings) +- [Settings](#settings-1) - [ApiVersion](#apiversion) -- [GrpcService](#grpcservice) +- [GrpcService](#grpcservice-2) - [HttpService](#httpservice) -- [Request](#request) -- [Response](#response) +- [Request](#request-2) +- [Response](#response-1) - [BufferSettings](#buffersettings) - [CustomAuth](#customauth) - [AuthPlugin](#authplugin) - [BasicAuth](#basicauth) -- [Apr](#apr) +- [Apr](#apr-1) - [SaltedHashedPassword](#saltedhashedpassword) -- [EncryptionType](#encryptiontype) -- [Sha1](#sha1) -- [Apr](#apr) -- [User](#user) -- [UserList](#userlist) +- [EncryptionType](#encryptiontype-1) +- [Sha1](#sha1-1) +- [Apr](#apr-2) +- [User](#user-1) +- [UserList](#userlist-1) - [HmacAuth](#hmacauth) - [SecretRefList](#secretreflist) - [HmacParametersInHeaders](#hmacparametersinheaders) @@ -43,31 +43,31 @@ weight: 5 - [RedisSession](#redissession) - [CookieOptions](#cookieoptions) - [SameSite](#samesite) -- [CipherConfig](#cipherconfig) +- [CipherConfig](#cipherconfig-1) - [HeaderConfiguration](#headerconfiguration) - [DiscoveryOverride](#discoveryoverride) - [JwksOnDemandCacheRefreshPolicy](#jwksondemandcacherefreshpolicy) - [AutoMapFromMetadata](#automapfrommetadata) - [EndSessionProperties](#endsessionproperties) - [MethodType](#methodtype) -- [ClaimToHeader](#claimtoheader) -- [Azure](#azure) +- [ClaimToHeader](#claimtoheader-2) +- [Azure](#azure-1) - [OidcAuthorizationCode](#oidcauthorizationcode) -- [AccessToken](#accesstoken) -- [IdentityToken](#identitytoken) +- [AccessToken](#accesstoken-1) +- [IdentityToken](#identitytoken-1) - [ClientAuthentication](#clientauthentication) - [ClientSecret](#clientsecret) - [PrivateKeyJwt](#privatekeyjwt) -- [Default](#default) -- [FrontChannelLogout](#frontchannellogout) +- [Default](#default-2) +- [FrontChannelLogout](#frontchannellogout-1) - [PlainOAuth2](#plainoauth2) -- [JwtValidation](#jwtvalidation) -- [RemoteJwks](#remotejwks) -- [LocalJwks](#localjwks) -- [IntrospectionValidation](#introspectionvalidation) +- [JwtValidation](#jwtvalidation-1) +- [RemoteJwks](#remotejwks-2) +- [LocalJwks](#localjwks-1) +- [IntrospectionValidation](#introspectionvalidation-1) - [AccessTokenValidation](#accesstokenvalidation) -- [Default](#default) -- [ScopeList](#scopelist) +- [Default](#default-3) +- [ScopeList](#scopelist-1) - [OauthSecret](#oauthsecret) - [ApiKeyAuth](#apikeyauth) - [SecretKey](#secretkey) @@ -87,12 +87,12 @@ weight: 5 - [ConnectionPool](#connectionpool) - [LdapServiceAccount](#ldapserviceaccount) - [PassThroughAuth](#passthroughauth) -- [BackoffStrategy](#backoffstrategy) -- [RetryPolicy](#retrypolicy) +- [BackoffStrategy](#backoffstrategy-1) +- [RetryPolicy](#retrypolicy-3) - [PassThroughGrpc](#passthroughgrpc) - [PassThroughHttp](#passthroughhttp) -- [Request](#request) -- [Response](#response) +- [Request](#request-3) +- [Response](#response-2) - [PassThroughGrpcTLSConfig](#passthroughgrpctlsconfig) - [PassThroughHttpTLSConfig](#passthroughhttptlsconfig) - [SslParameters](#sslparameters) @@ -109,7 +109,7 @@ weight: 5 --- -### AuthConfig +### AuthConfig {#authconfig} This is the user-facing auth configuration. When processed by Gloo, certain configuration types (i.a. oauth, opa) @@ -137,7 +137,7 @@ format that will be included in the extauth snapshot. --- -### Config +### Config {#config-2} @@ -178,7 +178,7 @@ format that will be included in the extauth snapshot. --- -### ExtAuthExtension +### ExtAuthExtension {#extauthextension} Auth configurations defined on virtual hosts, routes, and weighted destinations will be unmarshalled to this message. @@ -200,7 +200,7 @@ Auth configurations defined on virtual hosts, routes, and weighted destinations --- -### Settings +### Settings {#settings-1} Global external auth settings @@ -238,7 +238,7 @@ Global external auth settings --- -### ApiVersion +### ApiVersion {#apiversion} Describes the transport protocol version to use when connecting to the ext auth server. @@ -251,7 +251,7 @@ Describes the transport protocol version to use when connecting to the ext auth --- -### GrpcService +### GrpcService {#grpcservice-2} @@ -268,7 +268,7 @@ Describes the transport protocol version to use when connecting to the ext auth --- -### HttpService +### HttpService {#httpservice} @@ -289,7 +289,7 @@ Describes the transport protocol version to use when connecting to the ext auth --- -### Request +### Request {#request-2} @@ -310,7 +310,7 @@ Describes the transport protocol version to use when connecting to the ext auth --- -### Response +### Response {#response-1} @@ -331,7 +331,7 @@ Describes the transport protocol version to use when connecting to the ext auth --- -### BufferSettings +### BufferSettings {#buffersettings} Configuration for buffering the request data. @@ -353,7 +353,7 @@ Configuration for buffering the request data. --- -### CustomAuth +### CustomAuth {#customauth} Gloo is not expected to configure the ext auth server in this case. @@ -374,7 +374,7 @@ This is used with custom auth servers. --- -### AuthPlugin +### AuthPlugin {#authplugin} **Deprecated**: The pluginAuth config type is deprecated and will be removed in a future release. Use passThroughAuth instead. @@ -398,7 +398,7 @@ This is used with custom auth servers. --- -### BasicAuth +### BasicAuth {#basicauth} This is the legacy/simple basic auth config. It supports the APR and SHA-1 hashing algorithms. @@ -426,7 +426,7 @@ use a different type of auth config or configure a different header, such as `X- --- -### Apr +### Apr {#apr-1} If 'apr' is defined, 'encryption' and 'user_source' must not be defined or the config will fail validation @@ -444,7 +444,7 @@ If 'apr' is defined, 'encryption' and 'user_source' must not be defined or the c --- -### SaltedHashedPassword +### SaltedHashedPassword {#saltedhashedpassword} Message to store the salt and salted hashed password for a user @@ -464,7 +464,7 @@ Message to store the salt and salted hashed password for a user --- -### EncryptionType +### EncryptionType {#encryptiontype-1} The encryption/hashing algorithm to use to store the password @@ -484,7 +484,7 @@ The encryption/hashing algorithm to use to store the password --- -### Sha1 +### Sha1 {#sha1-1} Sha1 encryption type (https://datatracker.ietf.org/doc/html/rfc3174) @@ -501,7 +501,7 @@ Sha1 is considered insecure and is not recommended for production use --- -### Apr +### Apr {#apr-2} Apache specific iterated MD5 hashing: (https://httpd.apache.org/docs/2.4/misc/password_encryptions.html) @@ -517,7 +517,7 @@ Apache specific iterated MD5 hashing: (https://httpd.apache.org/docs/2.4/misc/pa --- -### User +### User {#user-1} Message to store user data. We need the salt and salted hashed password for each user @@ -537,7 +537,7 @@ Message to store user data. We need the salt and salted hashed password for each --- -### UserList +### UserList {#userlist-1} Map of valid usernames to stored credentials @@ -555,7 +555,7 @@ Map of valid usernames to stored credentials --- -### HmacAuth +### HmacAuth {#hmacauth} HMAC is a message authentication technique that can use multiple algorithms for finding credentials and generating signed messages. @@ -576,7 +576,7 @@ It conforms to https://www.ietf.org/rfc/rfc2104.txt --- -### SecretRefList +### SecretRefList {#secretreflist} @@ -593,7 +593,7 @@ It conforms to https://www.ietf.org/rfc/rfc2104.txt --- -### HmacParametersInHeaders +### HmacParametersInHeaders {#hmacparametersinheaders} Extract the HMAC parameters from the HTTP headers and use SHA-1 hashing @@ -609,7 +609,7 @@ Extract the HMAC parameters from the HTTP headers and use SHA-1 hashing --- -### OAuth +### OAuth {#oauth} Deprecated: Prefer OAuth2 @@ -639,7 +639,7 @@ Deprecated: Prefer OAuth2 --- -### OAuth2 +### OAuth2 {#oauth2} @@ -660,7 +660,7 @@ Deprecated: Prefer OAuth2 --- -### RedisOptions +### RedisOptions {#redisoptions} @@ -685,7 +685,7 @@ Deprecated: Prefer OAuth2 --- -### SocketType +### SocketType {#sockettype} redis socket types @@ -699,7 +699,7 @@ redis socket types --- -### UserSession +### UserSession {#usersession} @@ -724,7 +724,7 @@ redis socket types --- -### InternalSession +### InternalSession {#internalsession} @@ -745,7 +745,7 @@ redis socket types --- -### RedisSession +### RedisSession {#redissession} @@ -774,7 +774,7 @@ redis socket types --- -### CookieOptions +### CookieOptions {#cookieoptions} @@ -801,7 +801,7 @@ redis socket types --- -### SameSite +### SameSite {#samesite} The SameSite options. The default value is LaxMode. @@ -817,7 +817,7 @@ The SameSite options. The default value is LaxMode. --- -### CipherConfig +### CipherConfig {#cipherconfig-1} the cipher config is used to encrypt session cookie values. This is currently only available for OIDC. @@ -835,7 +835,7 @@ the cipher config is used to encrypt session cookie values. This is currently o --- -### HeaderConfiguration +### HeaderConfiguration {#headerconfiguration} @@ -856,7 +856,7 @@ the cipher config is used to encrypt session cookie values. This is currently o --- -### DiscoveryOverride +### DiscoveryOverride {#discoveryoverride} OIDC configuration is discovered at /.well-known/openid-configuration @@ -896,7 +896,7 @@ https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata --- -### JwksOnDemandCacheRefreshPolicy +### JwksOnDemandCacheRefreshPolicy {#jwksondemandcacherefreshpolicy} The json web key set (JWKS) (https://datatracker.ietf.org/doc/html/rfc7517) is discovered at an interval @@ -925,7 +925,7 @@ not yet in the local cache. --- -### AutoMapFromMetadata +### AutoMapFromMetadata {#automapfrommetadata} @@ -942,7 +942,7 @@ not yet in the local cache. --- -### EndSessionProperties +### EndSessionProperties {#endsessionproperties} @@ -959,7 +959,7 @@ not yet in the local cache. --- -### MethodType +### MethodType {#methodtype} The Method used to make the request. @@ -973,7 +973,7 @@ The Method used to make the request. --- -### ClaimToHeader +### ClaimToHeader {#claimtoheader-2} Map a single claim from an OAuth2 or OIDC token to a header in the request to the upstream destination. @@ -995,7 +995,7 @@ Map a single claim from an OAuth2 or OIDC token to a header in the request to th --- -### Azure +### Azure {#azure-1} For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider. @@ -1020,7 +1020,7 @@ This way, you can enable distributed claims and caching for when users are membe --- -### OidcAuthorizationCode +### OidcAuthorizationCode {#oidcauthorizationcode} @@ -1089,7 +1089,7 @@ This way, you can enable distributed claims and caching for when users are membe --- -### AccessToken +### AccessToken {#accesstoken-1} Optional: Map a single claim from an OAuth2 access token to a header in the request to the upstream destination. @@ -1110,7 +1110,7 @@ and configure the `clearRouteCache` or `recalculateRoutingDestination` options. --- -### IdentityToken +### IdentityToken {#identitytoken-1} Optional: Map a single claim from an OIDC identity token to a header in the request to the upstream destination. @@ -1128,7 +1128,7 @@ Optional: Map a single claim from an OIDC identity token to a header in the requ --- -### ClientAuthentication +### ClientAuthentication {#clientauthentication} Configuration specific to the client authentication type used to exchange the access code for the access and id tokens. @@ -1148,7 +1148,7 @@ Configuration specific to the client authentication type used to exchange the ac --- -### ClientSecret +### ClientSecret {#clientsecret} Client Secret Authentication requires a client secret (unless it is disabled) @@ -1168,7 +1168,7 @@ Client Secret Authentication requires a client secret (unless it is disabled) --- -### PrivateKeyJwt +### PrivateKeyJwt {#privatekeyjwt} Private Key JWT Authentication requires a signing key for the JWT and an duration for the JWT to be valid. @@ -1188,7 +1188,7 @@ Private Key JWT Authentication requires a signing key for the JWT and an duratio --- -### Default +### Default {#default-2} No-op, represents default OIDC behavior @@ -1204,7 +1204,7 @@ No-op, represents default OIDC behavior --- -### FrontChannelLogout +### FrontChannelLogout {#frontchannellogout-1} For the moment this is just path, but we may want to configure things like iss/sid validation @@ -1222,7 +1222,7 @@ For the moment this is just path, but we may want to configure things like iss/s --- -### PlainOAuth2 +### PlainOAuth2 {#plainoauth2} @@ -1265,7 +1265,7 @@ For the moment this is just path, but we may want to configure things like iss/s --- -### JwtValidation +### JwtValidation {#jwtvalidation-1} Defines how JSON Web Token (JWT) access tokens are validated. @@ -1304,7 +1304,7 @@ If the JWT has been successfully validated, its set of claims will be added to t --- -### RemoteJwks +### RemoteJwks {#remotejwks-2} Specifies how to fetch JWKS from remote and how to cache it. @@ -1324,7 +1324,7 @@ Specifies how to fetch JWKS from remote and how to cache it. --- -### LocalJwks +### LocalJwks {#localjwks-1} Represents a locally available JWKS. @@ -1342,7 +1342,7 @@ Represents a locally available JWKS. --- -### IntrospectionValidation +### IntrospectionValidation {#introspectionvalidation-1} Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated @@ -1373,7 +1373,7 @@ These values will be encoded in a basic auth header in order to authenticate the --- -### AccessTokenValidation +### AccessTokenValidation {#accesstokenvalidation} @@ -1408,7 +1408,7 @@ These values will be encoded in a basic auth header in order to authenticate the --- -### Default +### Default {#default-3} No-op, represents default OIDC distributed claims behavior @@ -1424,7 +1424,7 @@ No-op, represents default OIDC distributed claims behavior --- -### ScopeList +### ScopeList {#scopelist-1} @@ -1441,7 +1441,7 @@ No-op, represents default OIDC distributed claims behavior --- -### OauthSecret +### OauthSecret {#oauthsecret} @@ -1458,7 +1458,7 @@ No-op, represents default OIDC distributed claims behavior --- -### ApiKeyAuth +### ApiKeyAuth {#apikeyauth} Defines how API keys are validated. @@ -1493,7 +1493,7 @@ added to the `AuthorizationRequest` state under the "api_key_value" key name. --- -### SecretKey +### SecretKey {#secretkey} DEPRECATED: use generalized MetadataEntry @@ -1513,7 +1513,7 @@ DEPRECATED: use generalized MetadataEntry --- -### MetadataEntry +### MetadataEntry {#metadataentry} For the K8s secret backend, this data is stored as key-value data in the secret itself. @@ -1534,7 +1534,7 @@ For the Aerospike backend, this data is stored as bins on the key's record --- -### K8sSecretApiKeyStorage +### K8sSecretApiKeyStorage {#k8ssecretapikeystorage} @@ -1553,7 +1553,7 @@ For the Aerospike backend, this data is stored as bins on the key's record --- -### AerospikeApiKeyStorage +### AerospikeApiKeyStorage {#aerospikeapikeystorage} Deprecated: Support for Aerospike is deprecated and will be removed in a future release. @@ -1604,7 +1604,7 @@ Use of this feature is not recommended. --- -### readModeSc +### readModeSc {#readmodesc} @@ -1627,7 +1627,7 @@ Use of this feature is not recommended. --- -### readModeAp +### readModeAp {#readmodeap} @@ -1646,7 +1646,7 @@ Use of this feature is not recommended. --- -### tlsCurveID +### tlsCurveID {#tlscurveid} @@ -1669,7 +1669,7 @@ Use of this feature is not recommended. --- -### ServerDefaultApiKeyStorage +### ServerDefaultApiKeyStorage {#serverdefaultapikeystorage} When no storage backend is specified, the default storage backend defined in the extauth server is used. @@ -1685,7 +1685,7 @@ When no storage backend is specified, the default storage backend defined in the --- -### ApiKey +### ApiKey {#apikey} @@ -1708,7 +1708,7 @@ When no storage backend is specified, the default storage backend defined in the --- -### ApiKeySecret +### ApiKeySecret {#apikeysecret} DEPRECATED: use ApiKey @@ -1730,7 +1730,7 @@ DEPRECATED: use ApiKey --- -### OpaAuth +### OpaAuth {#opaauth} Enforce Open Policy Agent (OPA) policies through an OPA engine @@ -1757,7 +1757,7 @@ by using the OpaServerAuth setting instead. --- -### OpaAuthOptions +### OpaAuthOptions {#opaauthoptions} @@ -1776,7 +1776,7 @@ by using the OpaServerAuth setting instead. --- -### OpaServerAuth +### OpaServerAuth {#opaserverauth} Enforce Open Policy Agent (OPA) policies through an OPA sidecar @@ -1804,7 +1804,7 @@ For smaller operations or quick tests, you might use the OpaAuth setting instead --- -### Ldap +### Ldap {#ldap} Authenticates and authorizes requests by querying an LDAP server. Gloo makes the following assumptions: @@ -1840,7 +1840,7 @@ Authenticates and authorizes requests by querying an LDAP server. Gloo makes the --- -### ConnectionPool +### ConnectionPool {#connectionpool} Configuration properties for pooling connections to the LDAP server. If the pool is exhausted when a connection @@ -1861,7 +1861,7 @@ is requested (meaning that all the pooled connections are in use), the connectio --- -### LdapServiceAccount +### LdapServiceAccount {#ldapserviceaccount} @@ -1880,7 +1880,7 @@ is requested (meaning that all the pooled connections are in use), the connectio --- -### PassThroughAuth +### PassThroughAuth {#passthroughauth} Authorizes requests by querying a custom extauth server. @@ -1904,7 +1904,7 @@ Authorizes requests by querying a custom extauth server. --- -### BackoffStrategy +### BackoffStrategy {#backoffstrategy-1} Configuration defining an exponential back off strategy. @@ -1924,7 +1924,7 @@ Configuration defining an exponential back off strategy. --- -### RetryPolicy +### RetryPolicy {#retrypolicy-3} The message specifies the retry policy of the external gRPC service when unable to initially connect. @@ -1944,7 +1944,7 @@ The message specifies the retry policy of the external gRPC service when unable --- -### PassThroughGrpc +### PassThroughGrpc {#passthroughgrpc} Authorizes requests by querying a custom extauth grpc server @@ -1972,7 +1972,7 @@ https://github.com/envoyproxy/envoy/blob/ae1ed1fa74f096dabe8dd5b19fc70333621b030 --- -### PassThroughHttp +### PassThroughHttp {#passthroughhttp} Authorizes requests by making a POST HTTP/1 request to a custom HTTP auth server @@ -2000,7 +2000,7 @@ else the request is unauthorized. --- -### Request +### Request {#request-3} The passthrough http request can be configured to pass through the incoming request body, @@ -2039,7 +2039,7 @@ JSON marshalling. --- -### Response +### Response {#response-2} @@ -2062,7 +2062,7 @@ JSON marshalling. --- -### PassThroughGrpcTLSConfig +### PassThroughGrpcTLSConfig {#passthroughgrpctlsconfig} TLS configuration for the extauth gRPC passthrough connection @@ -2082,7 +2082,7 @@ TLS configuration for the extauth gRPC passthrough connection --- -### PassThroughHttpTLSConfig +### PassThroughHttpTLSConfig {#passthroughhttptlsconfig} TLS configuration for the extauth HTTP passthrough connection @@ -2102,7 +2102,7 @@ TLS configuration for the extauth HTTP passthrough connection --- -### SslParameters +### SslParameters {#sslparameters} @@ -2121,7 +2121,7 @@ TLS configuration for the extauth HTTP passthrough connection --- -### ProtocolVersion +### ProtocolVersion {#protocolversion} @@ -2136,7 +2136,7 @@ TLS configuration for the extauth HTTP passthrough connection --- -### PortalAuth +### PortalAuth {#portalauth} PortalAuth is used to authorize requests for credentials generated by the portal web server. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extproc/extproc.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extproc/extproc.proto.sk.md index 4b6efbbe487..830fe547ebf 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extproc/extproc.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extproc/extproc.proto.sk.md @@ -11,9 +11,9 @@ weight: 5 **Types:** -- [Settings](#settings) -- [RouteSettings](#routesettings) -- [GrpcService](#grpcservice) +- [Settings](#settings-2) +- [RouteSettings](#routesettings-1) +- [GrpcService](#grpcservice-3) - [Overrides](#overrides) - [HeaderForwardingRules](#headerforwardingrules) @@ -27,7 +27,7 @@ weight: 5 --- -### Settings +### Settings {#settings-2} Enterprise-only: Configuration for Envoy's [External Processing Filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter). @@ -82,7 +82,7 @@ Users should take care to understand the risks of using this extension before pr --- -### RouteSettings +### RouteSettings {#routesettings-1} External processor settings that can be configured on a virtual host or route. @@ -102,7 +102,7 @@ External processor settings that can be configured on a virtual host or route. --- -### GrpcService +### GrpcService {#grpcservice-3} @@ -127,7 +127,7 @@ External processor settings that can be configured on a virtual host or route. --- -### Overrides +### Overrides {#overrides} @@ -156,7 +156,7 @@ External processor settings that can be configured on a virtual host or route. --- -### HeaderForwardingRules +### HeaderForwardingRules {#headerforwardingrules} The HeaderForwardingRules structure specifies what headers are diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/gcp/gcp.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/gcp/gcp.proto.sk.md index 54051f0af5f..26336fafcbd 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/gcp/gcp.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/gcp/gcp.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-1) @@ -23,7 +23,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-1} Enterprise-only: Configuration to enable GCP authentication for upstreams. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/graphql/v1beta1/graphql.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/graphql/v1beta1/graphql.proto.sk.md index 6eb1c0614db..8ee178cb2e4 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/graphql/v1beta1/graphql.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/graphql/v1beta1/graphql.proto.sk.md @@ -11,27 +11,27 @@ weight: 5 **Types:** -- [RequestTemplate](#requesttemplate) -- [ResponseTemplate](#responsetemplate) -- [GrpcRequestTemplate](#grpcrequesttemplate) -- [RESTResolver](#restresolver) -- [GrpcDescriptorRegistry](#grpcdescriptorregistry) +- [RequestTemplate](#requesttemplate-1) +- [ResponseTemplate](#responsetemplate-1) +- [GrpcRequestTemplate](#grpcrequesttemplate-1) +- [RESTResolver](#restresolver-1) +- [GrpcDescriptorRegistry](#grpcdescriptorregistry-1) - [ProtoRefs](#protorefs) -- [GrpcResolver](#grpcresolver) +- [GrpcResolver](#grpcresolver-1) - [StitchedSchema](#stitchedschema) -- [SubschemaConfig](#subschemaconfig) +- [SubschemaConfig](#subschemaconfig-1) - [TypeMergeConfig](#typemergeconfig) - [MockResolver](#mockresolver) -- [AsyncResponse](#asyncresponse) -- [Resolution](#resolution) +- [AsyncResponse](#asyncresponse-1) +- [Resolution](#resolution-1) - [GraphQLApi](#graphqlapi) - [GraphQLApiOptions](#graphqlapioptions) -- [PersistedQueryCacheConfig](#persistedquerycacheconfig) -- [ExecutableSchema](#executableschema) -- [Executor](#executor) -- [Local](#local) +- [PersistedQueryCacheConfig](#persistedquerycacheconfig-1) +- [ExecutableSchema](#executableschema-1) +- [Executor](#executor-1) +- [Local](#local-1) - [LocalExecutorOptions](#localexecutoroptions) -- [Remote](#remote) +- [Remote](#remote-1) @@ -43,7 +43,7 @@ weight: 5 --- -### RequestTemplate +### RequestTemplate {#requesttemplate-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -59,7 +59,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### ResponseTemplate +### ResponseTemplate {#responsetemplate-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -75,7 +75,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### GrpcRequestTemplate +### GrpcRequestTemplate {#grpcrequesttemplate-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -91,7 +91,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### RESTResolver +### RESTResolver {#restresolver-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -107,7 +107,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### GrpcDescriptorRegistry +### GrpcDescriptorRegistry {#grpcdescriptorregistry-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -123,7 +123,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### ProtoRefs +### ProtoRefs {#protorefs} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -139,7 +139,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### GrpcResolver +### GrpcResolver {#grpcresolver-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -155,7 +155,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### StitchedSchema +### StitchedSchema {#stitchedschema} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -171,7 +171,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### SubschemaConfig +### SubschemaConfig {#subschemaconfig-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -187,7 +187,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### TypeMergeConfig +### TypeMergeConfig {#typemergeconfig} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -203,7 +203,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### MockResolver +### MockResolver {#mockresolver} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -219,7 +219,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### AsyncResponse +### AsyncResponse {#asyncresponse-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -235,7 +235,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### Resolution +### Resolution {#resolution-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -251,7 +251,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### GraphQLApi +### GraphQLApi {#graphqlapi} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -267,7 +267,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### GraphQLApiOptions +### GraphQLApiOptions {#graphqlapioptions} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -283,7 +283,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### PersistedQueryCacheConfig +### PersistedQueryCacheConfig {#persistedquerycacheconfig-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -299,7 +299,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### ExecutableSchema +### ExecutableSchema {#executableschema-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -315,7 +315,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### Executor +### Executor {#executor-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -331,7 +331,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### Local +### Local {#local-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -347,7 +347,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### LocalExecutorOptions +### LocalExecutorOptions {#localexecutoroptions} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -363,7 +363,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### Remote +### Remote {#remote-1} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/jwt/jwt.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/jwt/jwt.proto.sk.md index ecf64b9845e..960e77c8275 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/jwt/jwt.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/jwt/jwt.proto.sk.md @@ -17,13 +17,13 @@ weight: 5 - [VhostExtension](#vhostextension) - [ValidationPolicy](#validationpolicy) - [RouteExtension](#routeextension) -- [Provider](#provider) +- [Provider](#provider-1) - [Jwks](#jwks) -- [RemoteJwks](#remotejwks) -- [LocalJwks](#localjwks) +- [RemoteJwks](#remotejwks-3) +- [LocalJwks](#localjwks-2) - [TokenSource](#tokensource) - [HeaderSource](#headersource) -- [ClaimToHeader](#claimtoheader) +- [ClaimToHeader](#claimtoheader-3) @@ -35,7 +35,7 @@ weight: 5 --- -### JwtStagedVhostExtension +### JwtStagedVhostExtension {#jwtstagedvhostextension} @@ -54,7 +54,7 @@ weight: 5 --- -### JwtStagedRouteProvidersExtension +### JwtStagedRouteProvidersExtension {#jwtstagedrouteprovidersextension} @@ -73,7 +73,7 @@ weight: 5 --- -### JwtStagedRouteExtension +### JwtStagedRouteExtension {#jwtstagedrouteextension} @@ -92,7 +92,7 @@ weight: 5 --- -### VhostExtension +### VhostExtension {#vhostextension} @@ -113,7 +113,7 @@ weight: 5 --- -### ValidationPolicy +### ValidationPolicy {#validationpolicy} @@ -127,7 +127,7 @@ weight: 5 --- -### RouteExtension +### RouteExtension {#routeextension} @@ -144,7 +144,7 @@ weight: 5 --- -### Provider +### Provider {#provider-1} @@ -175,7 +175,7 @@ weight: 5 --- -### Jwks +### Jwks {#jwks} @@ -194,7 +194,7 @@ weight: 5 --- -### RemoteJwks +### RemoteJwks {#remotejwks-3} @@ -217,7 +217,7 @@ weight: 5 --- -### LocalJwks +### LocalJwks {#localjwks-2} @@ -234,7 +234,7 @@ weight: 5 --- -### TokenSource +### TokenSource {#tokensource} Describes the location of a JWT token @@ -254,7 +254,7 @@ Describes the location of a JWT token --- -### HeaderSource +### HeaderSource {#headersource} Describes how to retrieve a JWT from a header @@ -274,7 +274,7 @@ Describes how to retrieve a JWT from a header --- -### ClaimToHeader +### ClaimToHeader {#claimtoheader-3} Allows copying verified claims to headers sent upstream diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ratelimit/ratelimit.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ratelimit/ratelimit.proto.sk.md index 47ebcee544f..6a4cc6829f8 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ratelimit/ratelimit.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/ratelimit/ratelimit.proto.sk.md @@ -12,8 +12,8 @@ weight: 5 - [IngressRateLimit](#ingressratelimit) -- [Settings](#settings) -- [GrpcService](#grpcservice) +- [Settings](#settings-3) +- [GrpcService](#grpcservice-4) - [ServiceSettings](#servicesettings) - [RateLimitConfigRefs](#ratelimitconfigrefs) - [RateLimitConfigRef](#ratelimitconfigref) @@ -30,7 +30,7 @@ weight: 5 --- -### IngressRateLimit +### IngressRateLimit {#ingressratelimit} Basic rate-limiting API @@ -50,7 +50,7 @@ Basic rate-limiting API --- -### Settings +### Settings {#settings-3} @@ -77,7 +77,7 @@ Basic rate-limiting API --- -### GrpcService +### GrpcService {#grpcservice-4} @@ -94,7 +94,7 @@ Basic rate-limiting API --- -### ServiceSettings +### ServiceSettings {#servicesettings} API based on Envoy's rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) @@ -129,7 +129,7 @@ descriptors: --- -### RateLimitConfigRefs +### RateLimitConfigRefs {#ratelimitconfigrefs} A list of references to `RateLimitConfig` resources. @@ -148,7 +148,7 @@ Each resource represents a rate limit policy that will be independently enforced --- -### RateLimitConfigRef +### RateLimitConfigRef {#ratelimitconfigref} A reference to a `RateLimitConfig` resource. @@ -168,7 +168,7 @@ A reference to a `RateLimitConfig` resource. --- -### RateLimitVhostExtension +### RateLimitVhostExtension {#ratelimitvhostextension} Use this field if you want to inline the Envoy rate limits for this VirtualHost. @@ -191,7 +191,7 @@ running a custom rate limit server you need to configure it yourself. --- -### RateLimitRouteExtension +### RateLimitRouteExtension {#ratelimitrouteextension} Use this field if you want to inline the Envoy rate limits for this Route. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto.sk.md index 2214ba92583..5cd37530d6c 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [Settings](#settings) +- [Settings](#settings-4) - [ExtensionSettings](#extensionsettings) - [Policy](#policy) - [Principal](#principal) @@ -29,7 +29,7 @@ weight: 5 --- -### Settings +### Settings {#settings-4} Global RBAC settings @@ -47,7 +47,7 @@ Global RBAC settings --- -### ExtensionSettings +### ExtensionSettings {#extensionsettings} RBAC settings for Virtual Hosts and Routes @@ -67,7 +67,7 @@ RBAC settings for Virtual Hosts and Routes --- -### Policy +### Policy {#policy} @@ -88,7 +88,7 @@ RBAC settings for Virtual Hosts and Routes --- -### Principal +### Principal {#principal} An RBAC principal - the identity entity (usually a user or a service account). @@ -106,7 +106,7 @@ An RBAC principal - the identity entity (usually a user or a service account). --- -### JWTPrincipal +### JWTPrincipal {#jwtprincipal} A JWT principal. To use this, JWT option MUST be enabled. @@ -128,7 +128,7 @@ A JWT principal. To use this, JWT option MUST be enabled. --- -### ClaimMatcher +### ClaimMatcher {#claimmatcher} Used to specify how claims should be matched to the value. @@ -138,12 +138,13 @@ Used to specify how claims should be matched to the value. | `EXACT_STRING` | The JWT claim value is a string that exactly matches the value. | | `BOOLEAN` | The JWT claim value is a boolean that matches the value. | | `LIST_CONTAINS` | The JWT claim value is a list that contains a string that exactly matches the value. | +| `GLOB_MATCH` | The JWT claim value is a glob pattern that matches the value. | --- -### Permissions +### Permissions {#permissions} What permissions should be granted. An empty field means allow-all. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/stateful_session/stateful_session.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/stateful_session/stateful_session.proto.sk.md index b304b00bd58..76a0d0016d8 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/stateful_session/stateful_session.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/stateful_session/stateful_session.proto.sk.md @@ -13,7 +13,7 @@ weight: 5 - [StatefulSession](#statefulsession) - [CookieBasedSessionState](#cookiebasedsessionstate) -- [Cookie](#cookie) +- [Cookie](#cookie-2) - [HeaderBasedSessionState](#headerbasedsessionstate) @@ -26,7 +26,7 @@ weight: 5 --- -### StatefulSession +### StatefulSession {#statefulsession} This configures the Envoy [Stateful Session](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/stateful_session_filter) filter for a listener @@ -48,7 +48,7 @@ This configures the Envoy [Stateful Session](https://www.envoyproxy.io/docs/envo --- -### CookieBasedSessionState +### CookieBasedSessionState {#cookiebasedsessionstate} Configuration for the [cookie-based session state](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/stateful_session/cookie/v3/cookie.proto#envoy-v3-api-msg-extensions-http-stateful-session-cookie-v3-cookiebasedsessionstate) filter @@ -66,7 +66,7 @@ Configuration for the [cookie-based session state](https://www.envoyproxy.io/doc --- -### Cookie +### Cookie {#cookie-2} @@ -87,7 +87,7 @@ Configuration for the [cookie-based session state](https://www.envoyproxy.io/doc --- -### HeaderBasedSessionState +### HeaderBasedSessionState {#headerbasedsessionstate} Configuration for the [header-based session state](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/stateful_session/header/v3/header.proto#extension-envoy-http-stateful-session-header) filter diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/tap/tap.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/tap/tap.proto.sk.md index 43c9fc3e300..68a776fd382 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/tap/tap.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/tap/tap.proto.sk.md @@ -13,8 +13,8 @@ weight: 5 - [Tap](#tap) - [Sink](#sink) -- [GrpcService](#grpcservice) -- [HttpService](#httpservice) +- [GrpcService](#grpcservice-5) +- [HttpService](#httpservice-1) @@ -26,7 +26,7 @@ weight: 5 --- -### Tap +### Tap {#tap} Tap filter: a filter that copies the contents of HTTP requests and responses @@ -55,7 +55,7 @@ HTTP or GRPC. --- -### Sink +### Sink {#sink} @@ -74,7 +74,7 @@ HTTP or GRPC. --- -### GrpcService +### GrpcService {#grpcservice-5} A tap sink over a GRPC service @@ -92,7 +92,7 @@ A tap sink over a GRPC service --- -### HttpService +### HttpService {#httpservice-1} A tap sink over a HTTP service diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/waf/waf.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/waf/waf.proto.sk.md index bbd8fcb344e..344b14d7d96 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/waf/waf.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/waf/waf.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [Settings](#settings) +- [Settings](#settings-5) - [RuleSetFromConfigMap](#rulesetfromconfigmap) - [CoreRuleSet](#coreruleset) @@ -25,7 +25,7 @@ weight: 5 --- -### Settings +### Settings {#settings-5} @@ -56,7 +56,7 @@ weight: 5 --- -### RuleSetFromConfigMap +### RuleSetFromConfigMap {#rulesetfromconfigmap} @@ -75,7 +75,7 @@ weight: 5 --- -### CoreRuleSet +### CoreRuleSet {#coreruleset} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/ratelimit.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/ratelimit.proto.sk.md index b68c0ab3b29..f2df1c032ed 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/ratelimit.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/ratelimit.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### RateLimitConfig +### RateLimitConfig {#ratelimitconfig} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/extensions.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/extensions.proto.sk.md index 19c7a757135..67bd88778b5 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/extensions.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/extensions.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [Extensions](#extensions) -- [Extension](#extension) +- [Extension](#extension-1) @@ -24,7 +24,7 @@ weight: 5 --- -### Extensions +### Extensions {#extensions} @@ -41,7 +41,7 @@ weight: 5 --- -### Extension +### Extension {#extension-1} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/failover.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/failover.proto.sk.md index 7342377bdd5..e9ebf07e0ca 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/failover.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/failover.proto.sk.md @@ -13,11 +13,11 @@ weight: 5 - [Failover](#failover) - [PrioritizedLocality](#prioritizedlocality) -- [Policy](#policy) +- [Policy](#policy-1) - [LocalityLbEndpoints](#localitylbendpoints) - [LbEndpoint](#lbendpoint) -- [HealthCheckConfig](#healthcheckconfig) -- [Locality](#locality) +- [HealthCheckConfig](#healthcheckconfig-1) +- [Locality](#locality-1) @@ -29,7 +29,7 @@ weight: 5 --- -### Failover +### Failover {#failover} Failover configuration for an upstream. @@ -60,7 +60,7 @@ the list, first being `0` through `n-1`. --- -### PrioritizedLocality +### PrioritizedLocality {#prioritizedlocality} @@ -77,7 +77,7 @@ the list, first being `0` through `n-1`. --- -### Policy +### Policy {#policy-1} @@ -94,7 +94,7 @@ the list, first being `0` through `n-1`. --- -### LocalityLbEndpoints +### LocalityLbEndpoints {#localitylbendpoints} A group of endpoints belonging to a Locality. @@ -119,7 +119,7 @@ balancing weights or different priorities. --- -### LbEndpoint +### LbEndpoint {#lbendpoint} An Endpoint that Envoy can route traffic to. @@ -147,7 +147,7 @@ An Endpoint that Envoy can route traffic to. --- -### HealthCheckConfig +### HealthCheckConfig {#healthcheckconfig-1} The optional health check configuration. @@ -171,7 +171,7 @@ The optional health check configuration. --- -### Locality +### Locality {#locality-1} Identifies location of where either Envoy runs or where upstream hosts run. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/filters/stages.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/filters/stages.proto.sk.md index c26b781cf7b..f32ff5dbe4d 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/filters/stages.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/filters/stages.proto.sk.md @@ -13,7 +13,7 @@ weight: 5 - [FilterStage](#filterstage) - [Stage](#stage) -- [Predicate](#predicate) +- [Predicate](#predicate-1) @@ -25,7 +25,7 @@ weight: 5 --- -### FilterStage +### FilterStage {#filterstage} FilterStage allows configuration of where in a filter chain a given HTTP filter is inserted, @@ -46,7 +46,7 @@ relative to one of the pre-defined stages. --- -### Stage +### Stage {#stage} List of filter stages which can be selected for a HTTP filter. @@ -67,7 +67,7 @@ List of filter stages which can be selected for a HTTP filter. --- -### Predicate +### Predicate {#predicate-1} Desired placement of the HTTP filter relative to the stage. The default is `During`. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/http_listener_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/http_listener_options.proto.sk.md index 6009f2a58d4..3dc27740bf7 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/http_listener_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/http_listener_options.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### HttpListenerOptions +### HttpListenerOptions {#httplisteneroptions} Optional, feature-specific configuration that lives on http listeners diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/listener_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/listener_options.proto.sk.md index d7d490c8c02..c6659a35fe9 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/listener_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/listener_options.proto.sk.md @@ -25,7 +25,7 @@ weight: 5 --- -### ListenerOptions +### ListenerOptions {#listeneroptions} Optional, feature-specific configuration that lives on gateways. @@ -60,7 +60,7 @@ to be usable by Gloo. (plugins currently need to be compiled into Gloo) --- -### ConnectionBalanceConfig +### ConnectionBalanceConfig {#connectionbalanceconfig} Configuration for listener connection balancing. @@ -78,7 +78,7 @@ Configuration for listener connection balancing. --- -### ExactBalance +### ExactBalance {#exactbalance} A connection balancer implementation that does exact balancing. This means that a lock is diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/load_balancer.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/load_balancer.proto.sk.md index 1e9330e8252..051a43648bd 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/load_balancer.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/load_balancer.proto.sk.md @@ -30,7 +30,7 @@ weight: 5 --- -### LoadBalancerConfig +### LoadBalancerConfig {#loadbalancerconfig} LoadBalancerConfig is the settings for the load balancer used to send requests to the Upstream endpoints. @@ -66,7 +66,7 @@ LoadBalancerConfig is the settings for the load balancer used to send requests t --- -### RoundRobin +### RoundRobin {#roundrobin} @@ -83,7 +83,7 @@ LoadBalancerConfig is the settings for the load balancer used to send requests t --- -### LeastRequest +### LeastRequest {#leastrequest} @@ -102,7 +102,7 @@ LoadBalancerConfig is the settings for the load balancer used to send requests t --- -### Random +### Random {#random} @@ -117,7 +117,7 @@ LoadBalancerConfig is the settings for the load balancer used to send requests t --- -### RingHashConfig +### RingHashConfig {#ringhashconfig} Customizes the parameters used in the hashing algorithm to refine performance or resource usage. @@ -137,7 +137,7 @@ Customizes the parameters used in the hashing algorithm to refine performance or --- -### RingHash +### RingHash {#ringhash} @@ -154,7 +154,7 @@ Customizes the parameters used in the hashing algorithm to refine performance or --- -### Maglev +### Maglev {#maglev} @@ -169,7 +169,7 @@ Customizes the parameters used in the hashing algorithm to refine performance or --- -### SlowStartConfig +### SlowStartConfig {#slowstartconfig} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/advanced_http/advanced_http.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/advanced_http/advanced_http.proto.sk.md index 4a46ea0325a..c4800e6f627 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/advanced_http/advanced_http.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/advanced_http/advanced_http.proto.sk.md @@ -11,11 +11,11 @@ weight: 5 **Types:** -- [ResponseAssertions](#responseassertions) -- [ResponseMatcher](#responsematcher) -- [ResponseMatch](#responsematch) -- [JsonKey](#jsonkey) -- [PathSegment](#pathsegment) +- [ResponseAssertions](#responseassertions-1) +- [ResponseMatcher](#responsematcher-2) +- [ResponseMatch](#responsematch-2) +- [JsonKey](#jsonkey-1) +- [PathSegment](#pathsegment-3) @@ -23,7 +23,7 @@ weight: 5 **Enums:** - - [HealthCheckResult](#healthcheckresult) + - [HealthCheckResult](#healthcheckresult-1) @@ -34,7 +34,7 @@ weight: 5 --- -### ResponseAssertions +### ResponseAssertions {#responseassertions-1} @@ -53,7 +53,7 @@ weight: 5 --- -### ResponseMatcher +### ResponseMatcher {#responsematcher-2} Defines a transformation template. @@ -73,7 +73,7 @@ Defines a transformation template. --- -### ResponseMatch +### ResponseMatch {#responsematch-2} ResponseMatches can be used to extract information from the request/response. @@ -99,7 +99,7 @@ ResponseMatches can be used to extract information from the request/response. --- -### JsonKey +### JsonKey {#jsonkey-1} @@ -116,7 +116,7 @@ ResponseMatches can be used to extract information from the request/response. --- -### PathSegment +### PathSegment {#pathsegment-3} Specifies the segment in a path to retrieve value. @@ -133,7 +133,7 @@ Specifies the segment in a path to retrieve value. -### HealthCheckResult +### HealthCheckResult {#healthcheckresult-1} Description: diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk.md index a0212916b40..4ec15ba3746 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk.md @@ -14,7 +14,7 @@ weight: 5 - [AccessLoggingService](#accessloggingservice) - [AccessLog](#accesslog) - [FileSink](#filesink) -- [GrpcService](#grpcservice) +- [GrpcService](#grpcservice-6) - [OpenTelemetryGrpcCollector](#opentelemetrygrpccollector) - [OpenTelemetryService](#opentelemetryservice) - [AccessLogFilter](#accesslogfilter) @@ -42,7 +42,7 @@ weight: 5 --- -### AccessLoggingService +### AccessLoggingService {#accessloggingservice} Contains various settings for Envoy's access logging service. @@ -61,7 +61,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### AccessLog +### AccessLog {#accesslog} @@ -84,7 +84,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### FileSink +### FileSink {#filesink} @@ -105,7 +105,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### GrpcService +### GrpcService {#grpcservice-6} @@ -132,7 +132,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### OpenTelemetryGrpcCollector +### OpenTelemetryGrpcCollector {#opentelemetrygrpccollector} @@ -159,7 +159,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### OpenTelemetryService +### OpenTelemetryService {#opentelemetryservice} @@ -186,7 +186,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### AccessLogFilter +### AccessLogFilter {#accesslogfilter} @@ -221,7 +221,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v --- -### ComparisonFilter +### ComparisonFilter {#comparisonfilter} Filter on an integer comparison. @@ -241,7 +241,7 @@ Filter on an integer comparison. --- -### Op +### Op {#op} @@ -255,7 +255,7 @@ Filter on an integer comparison. --- -### StatusCodeFilter +### StatusCodeFilter {#statuscodefilter} Filters on HTTP response/status code. @@ -273,7 +273,7 @@ Filters on HTTP response/status code. --- -### DurationFilter +### DurationFilter {#durationfilter} Filters on total request duration in milliseconds. @@ -291,7 +291,7 @@ Filters on total request duration in milliseconds. --- -### NotHealthCheckFilter +### NotHealthCheckFilter {#nothealthcheckfilter} Filters for requests that are not health check requests. A health check @@ -308,7 +308,7 @@ request is marked by the health check filter. --- -### TraceableFilter +### TraceableFilter {#traceablefilter} Filters for requests that are traceable. See the tracing overview for more @@ -325,7 +325,7 @@ information on how a request becomes traceable. --- -### RuntimeFilter +### RuntimeFilter {#runtimefilter} Filters for random sampling of requests. @@ -347,7 +347,7 @@ Filters for random sampling of requests. --- -### AndFilter +### AndFilter {#andfilter} Performs a logical “and” operation on the result of each filter in filters. @@ -367,7 +367,7 @@ filter returns false immediately. --- -### OrFilter +### OrFilter {#orfilter} Performs a logical “or” operation on the result of each individual filter. @@ -387,7 +387,7 @@ filter returns true immediately. --- -### HeaderFilter +### HeaderFilter {#headerfilter} Filters requests based on the presence or value of a request header. @@ -405,7 +405,7 @@ Filters requests based on the presence or value of a request header. --- -### ResponseFlagFilter +### ResponseFlagFilter {#responseflagfilter} Filters requests that received responses with an Envoy response flag set. @@ -426,7 +426,7 @@ in the access log formatter --- -### GrpcStatusFilter +### GrpcStatusFilter {#grpcstatusfilter} Filters gRPC requests based on their response status. If a gRPC status is not @@ -447,7 +447,7 @@ provided, the filter will infer the status from the HTTP status code. --- -### Status +### Status {#status} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/aws.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/aws.proto.sk.md index 7cb7348108b..209a889dda8 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/aws.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/aws.proto.sk.md @@ -11,9 +11,9 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-2) - [LambdaFunctionSpec](#lambdafunctionspec) -- [DestinationSpec](#destinationspec) +- [DestinationSpec](#destinationspec-1) - [InvocationStyle](#invocationstyle) @@ -26,7 +26,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-2} Upstream Spec for AWS Lambda Upstreams @@ -58,7 +58,7 @@ in a particular region --- -### LambdaFunctionSpec +### LambdaFunctionSpec {#lambdafunctionspec} Each Lambda Function Spec contains data necessary for Gloo to invoke Lambda functions: @@ -82,7 +82,7 @@ Each Lambda Function Spec contains data necessary for Gloo to invoke Lambda func --- -### DestinationSpec +### DestinationSpec {#destinationspec-1} Each Lambda Function Spec contains data necessary for Gloo to invoke Lambda functions @@ -113,7 +113,7 @@ Each Lambda Function Spec contains data necessary for Gloo to invoke Lambda func --- -### InvocationStyle +### InvocationStyle {#invocationstyle} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/ec2/aws_ec2.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/ec2/aws_ec2.proto.sk.md index f44878cc222..d13031ae444 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/ec2/aws_ec2.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/aws/ec2/aws_ec2.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-3) - [TagFilter](#tagfilter) - [KvPair](#kvpair) @@ -25,7 +25,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-3} Upstream Spec for AWS Lambda Upstreams @@ -55,7 +55,7 @@ in a particular region --- -### TagFilter +### TagFilter {#tagfilter} @@ -74,7 +74,7 @@ in a particular region --- -### KvPair +### KvPair {#kvpair} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/azure/azure.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/azure/azure.proto.sk.md index 690372e2b40..c567afd1321 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/azure/azure.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/azure/azure.proto.sk.md @@ -11,10 +11,10 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-4) - [FunctionSpec](#functionspec) - [AuthLevel](#authlevel) -- [DestinationSpec](#destinationspec) +- [DestinationSpec](#destinationspec-2) @@ -26,7 +26,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-4} Upstream Spec for Azure Functions Upstreams @@ -50,7 +50,7 @@ within a particular Function App --- -### FunctionSpec +### FunctionSpec {#functionspec} Function Spec for Functions on Azure Functions Upstreams @@ -71,7 +71,7 @@ The Function Spec contains data necessary for Gloo to invoke Azure functions --- -### AuthLevel +### AuthLevel {#authlevel} @@ -85,7 +85,7 @@ The Function Spec contains data necessary for Gloo to invoke Azure functions --- -### DestinationSpec +### DestinationSpec {#destinationspec-2} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/connection_limit/connection_limit.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/connection_limit/connection_limit.proto.sk.md index 3db25651796..862ed87d77c 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/connection_limit/connection_limit.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/connection_limit/connection_limit.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### ConnectionLimit +### ConnectionLimit {#connectionlimit} These options provide the ability to limit the active connections in envoy. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/consul.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/consul.proto.sk.md index 51a6824f8bd..c0c12af1348 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/consul.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/consul.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-5) @@ -23,7 +23,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-5} Upstream Spec for Consul Upstreams diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/query_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/query_options.proto.sk.md index 24fca0f596b..4381ca8085e 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/query_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/consul/query_options.proto.sk.md @@ -30,7 +30,7 @@ weight: 5 --- -### QueryOptions +### QueryOptions {#queryoptions} somewhat mirrors client query options struct in consul catalog api @@ -48,7 +48,7 @@ only has options that we know we want configurable at both upstream and settings -### ConsulConsistencyModes +### ConsulConsistencyModes {#consulconsistencymodes} Description: These are the same consistency modes offered by Consul. For more information please review https://www.consul.io/api-docs/features/consistency. and https://pkg.go.dev/github.com/hashicorp/consul/api#QueryOptions. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/cors/cors.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/cors/cors.proto.sk.md index d539f67d224..27c68466c67 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/cors/cors.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/cors/cors.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [CorsPolicy](#corspolicy) +- [CorsPolicy](#corspolicy-2) - [CorsPolicyMergeSettings](#corspolicymergesettings) - [MergeStrategy](#mergestrategy) @@ -25,7 +25,7 @@ weight: 5 --- -### CorsPolicy +### CorsPolicy {#corspolicy-2} CorsPolicy defines Cross-Origin Resource Sharing for a virtual service. @@ -57,7 +57,7 @@ CorsPolicy defines Cross-Origin Resource Sharing for a virtual service. --- -### CorsPolicyMergeSettings +### CorsPolicyMergeSettings {#corspolicymergesettings} Settings to determine how to merge CORS settings when present on both the VirtualHost and Route. @@ -77,7 +77,7 @@ For example, you might not want CORS settings on each route to override the virt --- -### MergeStrategy +### MergeStrategy {#mergestrategy} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/dynamic_forward_proxy/dynamic_forward_proxy.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/dynamic_forward_proxy/dynamic_forward_proxy.proto.sk.md index 7f5c5c23126..a631050ede3 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/dynamic_forward_proxy/dynamic_forward_proxy.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/dynamic_forward_proxy/dynamic_forward_proxy.proto.sk.md @@ -11,11 +11,11 @@ weight: 5 **Types:** -- [FilterConfig](#filterconfig) +- [FilterConfig](#filterconfig-1) - [DnsCacheCircuitBreakers](#dnscachecircuitbreakers) - [DnsCacheConfig](#dnscacheconfig) - [RefreshRate](#refreshrate) -- [PerRouteConfig](#perrouteconfig) +- [PerRouteConfig](#perrouteconfig-1) - [DnsResolverOptions](#dnsresolveroptions) - [CaresDnsResolverConfig](#caresdnsresolverconfig) - [AppleDnsResolverConfig](#applednsresolverconfig) @@ -37,7 +37,7 @@ weight: 5 --- -### FilterConfig +### FilterConfig {#filterconfig-1} Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview @@ -63,7 +63,7 @@ Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architect --- -### DnsCacheCircuitBreakers +### DnsCacheCircuitBreakers {#dnscachecircuitbreakers} Configuration of circuit breakers for resolver. @@ -81,7 +81,7 @@ Configuration of circuit breakers for resolver. --- -### DnsCacheConfig +### DnsCacheConfig {#dnscacheconfig} Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview @@ -119,7 +119,7 @@ Configuration for the dynamic forward proxy DNS cache. See the :ref:`architectur --- -### RefreshRate +### RefreshRate {#refreshrate} @@ -138,7 +138,7 @@ Configuration for the dynamic forward proxy DNS cache. See the :ref:`architectur --- -### PerRouteConfig +### PerRouteConfig {#perrouteconfig-1} Per route Configuration for the dynamic forward proxy HTTP filter. @@ -158,7 +158,7 @@ Per route Configuration for the dynamic forward proxy HTTP filter. --- -### DnsResolverOptions +### DnsResolverOptions {#dnsresolveroptions} Configuration of DNS resolver option flags which control the behavior of the DNS resolver. @@ -178,7 +178,7 @@ Configuration of DNS resolver option flags which control the behavior of the DNS --- -### CaresDnsResolverConfig +### CaresDnsResolverConfig {#caresdnsresolverconfig} Configuration for c-ares DNS resolver. @@ -198,7 +198,7 @@ Configuration for c-ares DNS resolver. --- -### AppleDnsResolverConfig +### AppleDnsResolverConfig {#applednsresolverconfig} Configuration for apple DNS resolver. @@ -213,7 +213,7 @@ Configuration for apple DNS resolver. -### DnsLookupFamily +### DnsLookupFamily {#dnslookupfamily} Description: When V4_ONLY is selected, the DNS resolver will only perform a lookup for addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/faultinjection/fault.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/faultinjection/fault.proto.sk.md index 445cacde9af..89297ad426e 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/faultinjection/fault.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/faultinjection/fault.proto.sk.md @@ -25,7 +25,7 @@ weight: 5 --- -### RouteAbort +### RouteAbort {#routeabort} @@ -44,7 +44,7 @@ weight: 5 --- -### RouteDelay +### RouteDelay {#routedelay} @@ -63,7 +63,7 @@ weight: 5 --- -### RouteFaults +### RouteFaults {#routefaults} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/graphql/graphql.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/graphql/graphql.proto.sk.md index 11e626cc354..8c7979a0544 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/graphql/graphql.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/graphql/graphql.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [ServiceSpec](#servicespec) -- [Endpoint](#endpoint) +- [Endpoint](#endpoint-1) @@ -24,7 +24,7 @@ weight: 5 --- -### ServiceSpec +### ServiceSpec {#servicespec} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -40,7 +40,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### Endpoint +### Endpoint {#endpoint-1} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc/grpc.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc/grpc.proto.sk.md index cbfab7c8a46..27ea175689c 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc/grpc.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc/grpc.proto.sk.md @@ -11,9 +11,9 @@ weight: 5 **Types:** -- [ServiceSpec](#servicespec) -- [GrpcService](#grpcservice) -- [DestinationSpec](#destinationspec) +- [ServiceSpec](#servicespec-1) +- [GrpcService](#grpcservice-7) +- [DestinationSpec](#destinationspec-3) @@ -25,7 +25,7 @@ weight: 5 --- -### ServiceSpec +### ServiceSpec {#servicespec-1} Service spec describing GRPC upstreams. This will usually be filled @@ -49,7 +49,7 @@ Deprecated: prefer using GrpcJsonTranscoder --- -### GrpcService +### GrpcService {#grpcservice-7} Describes a grpc service @@ -71,7 +71,7 @@ Describes a grpc service --- -### DestinationSpec +### DestinationSpec {#destinationspec-3} This is only for upstream with Grpc service spec. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto.sk.md index ac0462249b6..d0036e6a013 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto.sk.md @@ -25,7 +25,7 @@ weight: 5 --- -### GrpcJsonTranscoder +### GrpcJsonTranscoder {#grpcjsontranscoder} [#next-free-field: 10] @@ -61,7 +61,7 @@ weight: 5 --- -### PrintOptions +### PrintOptions {#printoptions} @@ -84,7 +84,7 @@ weight: 5 --- -### DescriptorConfigMap +### DescriptorConfigMap {#descriptorconfigmap} Allows the user to store the binary content of a [proto descriptor set](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/grpc_json_transcoder_filter#config-grpc-json-generate-proto-descriptor-set) in a ConfigMap. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto.sk.md index e6f0cb6b18f..59d380b5f10 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### GrpcWeb +### GrpcWeb {#grpcweb} GrpcWeb support is enabled be default. Use this extension to disable it. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk.md index af4de93027b..0b4bca2e59e 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk.md @@ -14,7 +14,7 @@ weight: 5 - [HttpConnectionManagerSettings](#httpconnectionmanagersettings) - [SetCurrentClientCertDetails](#setcurrentclientcertdetails) - [UuidRequestIdConfigSettings](#uuidrequestidconfigsettings) -- [CidrRange](#cidrrange) +- [CidrRange](#cidrrange-2) - [InternalAddressConfig](#internaladdressconfig) - [ForwardClientCertDetails](#forwardclientcertdetails) - [ServerHeaderTransformation](#serverheadertransformation) @@ -32,7 +32,7 @@ weight: 5 --- -### HttpConnectionManagerSettings +### HttpConnectionManagerSettings {#httpconnectionmanagersettings} Contains various settings for Envoy's http connection manager. @@ -133,7 +133,7 @@ v3 documents https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filte --- -### SetCurrentClientCertDetails +### SetCurrentClientCertDetails {#setcurrentclientcertdetails} @@ -158,7 +158,7 @@ v3 documents https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filte --- -### UuidRequestIdConfigSettings +### UuidRequestIdConfigSettings {#uuidrequestidconfigsettings} Contains setup for Envoy's UuidRequestIdConfig @@ -178,7 +178,7 @@ Contains setup for Envoy's UuidRequestIdConfig --- -### CidrRange +### CidrRange {#cidrrange-2} Subnet mask for CIDR ranges @@ -198,7 +198,7 @@ Subnet mask for CIDR ranges --- -### InternalAddressConfig +### InternalAddressConfig {#internaladdressconfig} Manages Envoy's internal address configuration @@ -218,7 +218,7 @@ Manages Envoy's internal address configuration --- -### ForwardClientCertDetails +### ForwardClientCertDetails {#forwardclientcertdetails} @@ -234,7 +234,7 @@ Manages Envoy's internal address configuration --- -### ServerHeaderTransformation +### ServerHeaderTransformation {#serverheadertransformation} @@ -248,7 +248,7 @@ Manages Envoy's internal address configuration --- -### HeadersWithUnderscoreAction +### HeadersWithUnderscoreAction {#headerswithunderscoreaction} Action to take when Envoy receives client request with header names containing underscore characters. Underscore character @@ -265,7 +265,7 @@ is allowed in header names by the RFC-7230 and this behavior is implemented as a --- -### PathWithEscapedSlashesAction +### PathWithEscapedSlashesAction {#pathwithescapedslashesaction} Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. @@ -283,7 +283,7 @@ This operation occurs before URL normalization and the merge slashes transformat --- -### CodecType +### CodecType {#codectype} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk.md index 825bb475ca1..ef4ec8c5318 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### HeaderValidationSettings +### HeaderValidationSettings {#headervalidationsettings} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk.md index d60fd3093fa..fd025210ce1 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk.md @@ -13,8 +13,8 @@ weight: 5 - [HeaderManipulation](#headermanipulation) - [EarlyHeaderManipulation](#earlyheadermanipulation) -- [HeaderValueOption](#headervalueoption) -- [HeaderValue](#headervalue) +- [HeaderValueOption](#headervalueoption-1) +- [HeaderValue](#headervalue-1) @@ -26,7 +26,7 @@ weight: 5 --- -### HeaderManipulation +### HeaderManipulation {#headermanipulation} This plugin provides configuration options to append and remove headers from @@ -52,7 +52,7 @@ HeaderManipulation can be specified on routes, virtual hosts, or weighted destin --- -### EarlyHeaderManipulation +### EarlyHeaderManipulation {#earlyheadermanipulation} EarlyHeaderManipulation can be specified on Gateways to manipulate headers before significant processing @@ -76,7 +76,7 @@ Note: The adding of headers happens before the removal of headers. --- -### HeaderValueOption +### HeaderValueOption {#headervalueoption-1} Header name/value pair plus option to control append behavior. @@ -96,7 +96,7 @@ Header name/value pair plus option to control append behavior. --- -### HeaderValue +### HeaderValue {#headervalue-1} Header name/value pair. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/healthcheck/healthcheck.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/healthcheck/healthcheck.proto.sk.md index 27cbc173f11..02ab865956d 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/healthcheck/healthcheck.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/healthcheck/healthcheck.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [HealthCheck](#healthcheck) +- [HealthCheck](#healthcheck-2) @@ -23,7 +23,7 @@ weight: 5 --- -### HealthCheck +### HealthCheck {#healthcheck-2} Add this config to a Listener/Gateway to Enable Envoy Health Checks on that port diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/kubernetes/kubernetes.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/kubernetes/kubernetes.proto.sk.md index 84167bca857..5688b63f318 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/kubernetes/kubernetes.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/kubernetes/kubernetes.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-6) @@ -23,7 +23,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-6} Kubernetes Upstreams represent a set of one or more addressable pods for a Kubernetes Service diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto.sk.md index 35d0c69d444..f353a945b18 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto.sk.md @@ -12,8 +12,8 @@ weight: 5 - [RouteActionHashConfig](#routeactionhashconfig) -- [Cookie](#cookie) -- [HashPolicy](#hashpolicy) +- [Cookie](#cookie-3) +- [HashPolicy](#hashpolicy-2) @@ -25,7 +25,7 @@ weight: 5 --- -### RouteActionHashConfig +### RouteActionHashConfig {#routeactionhashconfig} Specifies the route’s hashing policy if the upstream cluster uses a hashing load balancer. @@ -44,7 +44,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#e --- -### Cookie +### Cookie {#cookie-3} Envoy supports two types of cookie affinity: @@ -70,7 +70,7 @@ additional notes https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route --- -### HashPolicy +### HashPolicy {#hashpolicy-2} Specifies an element of Envoy's hashing policy for hashing load balancers diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/local_ratelimit/local_ratelimit.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/local_ratelimit/local_ratelimit.proto.sk.md index 1bd742c9ab8..2cc332641b9 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/local_ratelimit/local_ratelimit.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/local_ratelimit/local_ratelimit.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [TokenBucket](#tokenbucket) -- [Settings](#settings) +- [Settings](#settings-6) @@ -24,7 +24,7 @@ weight: 5 --- -### TokenBucket +### TokenBucket {#tokenbucket} Configures the token bucket, used for rate limiting. @@ -47,7 +47,7 @@ Ref. https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network --- -### Settings +### Settings {#settings-6} The Local Rate Limit settings define the default local rate limit token bucket to apply as well as other configurations diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/pipe/pipe.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/pipe/pipe.proto.sk.md index 4c80adf1ba1..8b249e2fd61 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/pipe/pipe.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/pipe/pipe.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) +- [UpstreamSpec](#upstreamspec-7) @@ -23,7 +23,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-7} Pipe upstreams are used to route request to services listening at a Unix Domain Socket. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol/protocol.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol/protocol.proto.sk.md index c82b2fc6ca6..93b7f902866 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol/protocol.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol/protocol.proto.sk.md @@ -26,7 +26,7 @@ weight: 5 --- -### HttpProtocolOptions +### HttpProtocolOptions {#httpprotocoloptions} @@ -49,7 +49,7 @@ weight: 5 --- -### HeadersWithUnderscoresAction +### HeadersWithUnderscoresAction {#headerswithunderscoresaction} Action to take when Envoy receives client request with header names containing underscore @@ -68,7 +68,7 @@ characters. --- -### Http1ProtocolOptions +### Http1ProtocolOptions {#http1protocoloptions} @@ -91,7 +91,7 @@ characters. --- -### Http2ProtocolOptions +### Http2ProtocolOptions {#http2protocoloptions} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol_upgrade/protocol_upgrade.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol_upgrade/protocol_upgrade.proto.sk.md index 23ffc1aa600..9c0272a002d 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol_upgrade/protocol_upgrade.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/protocol_upgrade/protocol_upgrade.proto.sk.md @@ -24,7 +24,7 @@ weight: 5 --- -### ProtocolUpgradeConfig +### ProtocolUpgradeConfig {#protocolupgradeconfig} @@ -43,7 +43,7 @@ weight: 5 --- -### ProtocolUpgradeSpec +### ProtocolUpgradeSpec {#protocolupgradespec} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/proxy_protocol.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/proxy_protocol.proto.sk.md index 7b751460be4..30431f1c280 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/proxy_protocol.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/proxy_protocol.proto.sk.md @@ -25,7 +25,7 @@ weight: 5 --- -### ProxyProtocol +### ProxyProtocol {#proxyprotocol} @@ -44,7 +44,7 @@ weight: 5 --- -### KeyValuePair +### KeyValuePair {#keyvaluepair} @@ -63,7 +63,7 @@ weight: 5 --- -### Rule +### Rule {#rule} A Rule defines what metadata to apply when a header is present or missing. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/rest/rest.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/rest/rest.proto.sk.md index 78a5c73ee50..b7bb68c9606 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/rest/rest.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/rest/rest.proto.sk.md @@ -11,9 +11,9 @@ weight: 5 **Types:** -- [ServiceSpec](#servicespec) +- [ServiceSpec](#servicespec-2) - [SwaggerInfo](#swaggerinfo) -- [DestinationSpec](#destinationspec) +- [DestinationSpec](#destinationspec-4) @@ -25,7 +25,7 @@ weight: 5 --- -### ServiceSpec +### ServiceSpec {#servicespec-2} @@ -44,7 +44,7 @@ weight: 5 --- -### SwaggerInfo +### SwaggerInfo {#swaggerinfo} @@ -63,7 +63,7 @@ weight: 5 --- -### DestinationSpec +### DestinationSpec {#destinationspec-4} This is only for upstream with REST service spec diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/retries/retries.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/retries/retries.proto.sk.md index 2ea4d8f1a23..38c4d942775 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/retries/retries.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/retries/retries.proto.sk.md @@ -11,11 +11,11 @@ weight: 5 **Types:** -- [RetryBackOff](#retrybackoff) +- [RetryBackOff](#retrybackoff-2) - [ResetHeader](#resetheader) - [HeaderFormat](#headerformat) - [RateLimitedRetryBackOff](#ratelimitedretrybackoff) -- [RetryPolicy](#retrypolicy) +- [RetryPolicy](#retrypolicy-4) - [PreviousPriorities](#previouspriorities) @@ -28,7 +28,7 @@ weight: 5 --- -### RetryBackOff +### RetryBackOff {#retrybackoff-2} This specifies the retry policy interval for backoffs. Note that if the base interval provided is larger than the maximum interval OR if any of the durations passed are <= 0 MS, there will be an error. @@ -48,7 +48,7 @@ This specifies the retry policy interval for backoffs. Note that if the base int --- -### ResetHeader +### ResetHeader {#resetheader} ResetHeader is a header that is used to reset the retry backoff. @@ -68,7 +68,7 @@ ResetHeader is a header that is used to reset the retry backoff. --- -### HeaderFormat +### HeaderFormat {#headerformat} @@ -81,7 +81,7 @@ ResetHeader is a header that is used to reset the retry backoff. --- -### RateLimitedRetryBackOff +### RateLimitedRetryBackOff {#ratelimitedretrybackoff} This specifies the retry policy interval for rate limited requests. @@ -102,7 +102,7 @@ Based on: https://github.com/envoyproxy/envoy/blob/4a134ce926cf0b882a4c416734b57 --- -### RetryPolicy +### RetryPolicy {#retrypolicy-4} Retry Policy applied at the Route and/or Virtual Hosts levels. @@ -132,7 +132,7 @@ Retry Policy applied at the Route and/or Virtual Hosts levels. --- -### PreviousPriorities +### PreviousPriorities {#previouspriorities} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/router/router.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/router/router.proto.sk.md index 433a87d7cfe..f6d44ba61da 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/router/router.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/router/router.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### Router +### Router {#router} Router is an envoy http filter diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/service_spec.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/service_spec.proto.sk.md index 2415e7d662c..cf791bd2fd5 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/service_spec.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/service_spec.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [ServiceSpec](#servicespec) +- [ServiceSpec](#servicespec-3) @@ -23,7 +23,7 @@ weight: 5 --- -### ServiceSpec +### ServiceSpec {#servicespec-3} Describes APIs and application-level information for services diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto.sk.md index c3e72f3db85..df1049c88cc 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### RouteShadowing +### RouteShadowing {#routeshadowing} Specifies traffic shadowing configuration for the associated route. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/static/static.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/static/static.proto.sk.md index 8d289e8156d..85d2a09557e 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/static/static.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/static/static.proto.sk.md @@ -11,9 +11,9 @@ weight: 5 **Types:** -- [UpstreamSpec](#upstreamspec) -- [Host](#host) -- [HealthCheckConfig](#healthcheckconfig) +- [UpstreamSpec](#upstreamspec-8) +- [Host](#host-1) +- [HealthCheckConfig](#healthcheckconfig-2) @@ -25,7 +25,7 @@ weight: 5 --- -### UpstreamSpec +### UpstreamSpec {#upstreamspec-8} Static upstreams are used to route request to services listening at fixed IP/Host & Port pairs. @@ -52,7 +52,7 @@ Unlike upstreams created by service discovery, Static Upstreams must be created --- -### Host +### Host {#host-1} Represents a single instance of an upstream @@ -80,7 +80,7 @@ Represents a single instance of an upstream --- -### HealthCheckConfig +### HealthCheckConfig {#healthcheckconfig-2} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/stats/stats.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/stats/stats.proto.sk.md index df85edc0725..1793a828dbe 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/stats/stats.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/stats/stats.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [Stats](#stats) -- [VirtualCluster](#virtualcluster) +- [VirtualCluster](#virtualcluster-2) @@ -24,7 +24,7 @@ weight: 5 --- -### Stats +### Stats {#stats} This plugin provides additional configuration options to expose statistics. @@ -42,7 +42,7 @@ This plugin provides additional configuration options to expose statistics. --- -### VirtualCluster +### VirtualCluster {#virtualcluster-2} Virtual clusters allow you to expose statistics for virtual host traffic that matches certain criteria. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/subset_spec.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/subset_spec.proto.sk.md index cb2d10b230a..d771e3d3a72 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/subset_spec.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/subset_spec.proto.sk.md @@ -12,7 +12,7 @@ weight: 5 - [SubsetSpec](#subsetspec) -- [Selector](#selector) +- [Selector](#selector-1) - [Subset](#subset) @@ -32,7 +32,7 @@ weight: 5 --- -### SubsetSpec +### SubsetSpec {#subsetspec} See envoy docs for details: @@ -55,7 +55,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.pro --- -### Selector +### Selector {#selector-1} @@ -74,7 +74,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.pro --- -### Subset +### Subset {#subset} @@ -90,7 +90,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.pro -### FallbackPolicy +### FallbackPolicy {#fallbackpolicy} Description: diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto.sk.md index 9586332075e..ca6a5419e74 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto.sk.md @@ -13,8 +13,8 @@ weight: 5 - [TcpProxySettings](#tcpproxysettings) - [TunnelingConfig](#tunnelingconfig) -- [HeaderValueOption](#headervalueoption) -- [HeaderValue](#headervalue) +- [HeaderValueOption](#headervalueoption-2) +- [HeaderValue](#headervalue-2) @@ -26,7 +26,7 @@ weight: 5 --- -### TcpProxySettings +### TcpProxySettings {#tcpproxysettings} Contains various settings for Envoy's tcp proxy filter. @@ -51,7 +51,7 @@ See here for more information: https://www.envoyproxy.io/docs/envoy/v1.10.0/api- --- -### TunnelingConfig +### TunnelingConfig {#tunnelingconfig} Configuration for tunneling TCP over other transports or application layers. @@ -71,7 +71,7 @@ Configuration for tunneling TCP over other transports or application layers. --- -### HeaderValueOption +### HeaderValueOption {#headervalueoption-2} Header name/value pair plus option to control append behavior. @@ -91,7 +91,7 @@ Header name/value pair plus option to control append behavior. --- -### HeaderValue +### HeaderValue {#headervalue-2} Header name/value pair. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tracing/tracing.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tracing/tracing.proto.sk.md index 1cbab4631cd..4f2109c83a3 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tracing/tracing.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/tracing/tracing.proto.sk.md @@ -30,7 +30,7 @@ weight: 5 --- -### ListenerTracingSettings +### ListenerTracingSettings {#listenertracingsettings} Contains settings for configuring Envoy's tracing capabilities at the listener level. @@ -70,7 +70,7 @@ See [here](https://docs.solo.io/gloo-edge/latest/guides/observability/tracing/) --- -### RouteTracingSettings +### RouteTracingSettings {#routetracingsettings} Contains settings for configuring Envoy's tracing capabilities at the route level. @@ -95,7 +95,7 @@ See [here](https://docs.solo.io/gloo-edge/latest/guides/observability/tracing/) --- -### TracePercentages +### TracePercentages {#tracepercentages} Requests can produce traces by random sampling or when the `x-client-trace-id` header is provided. @@ -118,7 +118,7 @@ TracePercentages defines the limits for random, forced, and overall tracing perc --- -### TracingTagEnvironmentVariable +### TracingTagEnvironmentVariable {#tracingtagenvironmentvariable} Requests can produce traces with custom tags. @@ -141,7 +141,7 @@ TracingTagEnvironmentVariable defines an environment variable which gets added a --- -### TracingTagLiteral +### TracingTagLiteral {#tracingtagliteral} Requests can produce traces with custom tags. @@ -162,7 +162,7 @@ TracingTagLiteral defines a literal which gets added as custom tag. --- -### TracingTagMetadata +### TracingTagMetadata {#tracingtagmetadata} Requests can produce traces with custom tags. @@ -187,7 +187,7 @@ TracingTagMetadata defines a dynamic metadata tag which gets added as custom tag --- -### MetadataValue +### MetadataValue {#metadatavalue} @@ -208,7 +208,7 @@ TracingTagMetadata defines a dynamic metadata tag which gets added as custom tag --- -### Kind +### Kind {#kind} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/parameters.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/parameters.proto.sk.md index b03de05466d..8255539fa61 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/parameters.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/parameters.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### Parameters +### Parameters {#parameters} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/transformation.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/transformation.proto.sk.md index f5a5146da62..48dd54589b5 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/transformation.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/transformation/transformation.proto.sk.md @@ -11,25 +11,25 @@ weight: 5 **Types:** -- [ResponseMatch](#responsematch) -- [RequestMatch](#requestmatch) -- [Transformations](#transformations) +- [ResponseMatch](#responsematch-3) +- [RequestMatch](#requestmatch-1) +- [Transformations](#transformations-1) - [RequestResponseTransformations](#requestresponsetransformations) - [TransformationStages](#transformationstages) -- [Transformation](#transformation) -- [Extraction](#extraction) -- [Mode](#mode) -- [TransformationTemplate](#transformationtemplate) -- [HeaderToAppend](#headertoappend) -- [DynamicMetadataValue](#dynamicmetadatavalue) -- [SpanTransformer](#spantransformer) -- [RequestBodyParse](#requestbodyparse) -- [InjaTemplate](#injatemplate) -- [Passthrough](#passthrough) -- [MergeExtractorsToBody](#mergeextractorstobody) -- [MergeJsonKeys](#mergejsonkeys) -- [OverridableTemplate](#overridabletemplate) -- [HeaderBodyTransform](#headerbodytransform) +- [Transformation](#transformation-2) +- [Extraction](#extraction-2) +- [Mode](#mode-2) +- [TransformationTemplate](#transformationtemplate-1) +- [HeaderToAppend](#headertoappend-1) +- [DynamicMetadataValue](#dynamicmetadatavalue-1) +- [SpanTransformer](#spantransformer-1) +- [RequestBodyParse](#requestbodyparse-1) +- [InjaTemplate](#injatemplate-1) +- [Passthrough](#passthrough-2) +- [MergeExtractorsToBody](#mergeextractorstobody-1) +- [MergeJsonKeys](#mergejsonkeys-1) +- [OverridableTemplate](#overridabletemplate-1) +- [HeaderBodyTransform](#headerbodytransform-1) @@ -41,7 +41,7 @@ weight: 5 --- -### ResponseMatch +### ResponseMatch {#responsematch-3} @@ -62,7 +62,7 @@ weight: 5 --- -### RequestMatch +### RequestMatch {#requestmatch-1} @@ -85,7 +85,7 @@ weight: 5 --- -### Transformations +### Transformations {#transformations-1} @@ -106,7 +106,7 @@ weight: 5 --- -### RequestResponseTransformations +### RequestResponseTransformations {#requestresponsetransformations} @@ -125,7 +125,7 @@ weight: 5 --- -### TransformationStages +### TransformationStages {#transformationstages} @@ -152,7 +152,7 @@ weight: 5 --- -### Transformation +### Transformation {#transformation-2} User-facing API for transformation. @@ -176,7 +176,7 @@ User-facing API for transformation. --- -### Extraction +### Extraction {#extraction-2} Extractions can be used to extract information from the request/response. @@ -205,7 +205,7 @@ The extracted information can then be referenced in template fields. --- -### Mode +### Mode {#mode-2} The mode of operation for the extraction. @@ -220,7 +220,7 @@ The mode of operation for the extraction. --- -### TransformationTemplate +### TransformationTemplate {#transformationtemplate-1} Defines a transformation template. @@ -264,7 +264,7 @@ Defines a transformation template. --- -### HeaderToAppend +### HeaderToAppend {#headertoappend-1} Defines a header-template pair to be used in `headers_to_append` @@ -284,7 +284,7 @@ Defines a header-template pair to be used in `headers_to_append` --- -### DynamicMetadataValue +### DynamicMetadataValue {#dynamicmetadatavalue-1} Defines an [Envoy Dynamic @@ -310,7 +310,7 @@ entry. --- -### SpanTransformer +### SpanTransformer {#spantransformer-1} Definitions for span transformations for tracing purposes. @@ -328,7 +328,7 @@ Definitions for span transformations for tracing purposes. --- -### RequestBodyParse +### RequestBodyParse {#requestbodyparse-1} Determines how the body will be parsed. @@ -342,7 +342,7 @@ Determines how the body will be parsed. --- -### InjaTemplate +### InjaTemplate {#injatemplate-1} Defines an [Inja template](https://github.com/pantor/inja) that will be @@ -379,7 +379,7 @@ substring extends to the end of the input string. --- -### Passthrough +### Passthrough {#passthrough-2} @@ -394,7 +394,7 @@ substring extends to the end of the input string. --- -### MergeExtractorsToBody +### MergeExtractorsToBody {#mergeextractorstobody-1} @@ -409,7 +409,7 @@ substring extends to the end of the input string. --- -### MergeJsonKeys +### MergeJsonKeys {#mergejsonkeys-1} @@ -426,7 +426,7 @@ substring extends to the end of the input string. --- -### OverridableTemplate +### OverridableTemplate {#overridabletemplate-1} @@ -445,7 +445,7 @@ substring extends to the end of the input string. --- -### HeaderBodyTransform +### HeaderBodyTransform {#headerbodytransform-1} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/wasm/wasm.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/wasm/wasm.proto.sk.md index 6ea35fb271f..d5f529d7aa7 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/wasm/wasm.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/wasm/wasm.proto.sk.md @@ -14,9 +14,9 @@ weight: 5 - [PluginSource](#pluginsource) - [WasmFilter](#wasmfilter) - [VmType](#vmtype) -- [FilterStage](#filterstage) -- [Stage](#stage) -- [Predicate](#predicate) +- [FilterStage](#filterstage-1) +- [Stage](#stage-1) +- [Predicate](#predicate-2) @@ -28,7 +28,7 @@ weight: 5 --- -### PluginSource +### PluginSource {#pluginsource} Options config for WASM filters @@ -46,7 +46,7 @@ Options config for WASM filters --- -### WasmFilter +### WasmFilter {#wasmfilter} This message defines a single Envoy WASM filter to be placed into the filter chain @@ -78,7 +78,7 @@ This message defines a single Envoy WASM filter to be placed into the filter cha --- -### VmType +### VmType {#vmtype} represents the different types of WASM VMs available with which envoy can run @@ -93,7 +93,7 @@ the WASM filter module --- -### FilterStage +### FilterStage {#filterstage-1} @@ -112,7 +112,7 @@ the WASM filter module --- -### Stage +### Stage {#stage-1} list of filter stages which can be selected for a WASM filter @@ -133,7 +133,7 @@ list of filter stages which can be selected for a WASM filter --- -### Predicate +### Predicate {#predicate-2} During is the 0th member so that it is the default, even though diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk.md index da223e8f5d3..467aca0cca0 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk.md @@ -20,22 +20,22 @@ weight: 5 - [HybridListener](#hybridlistener) - [MatchedListener](#matchedlistener) - [MatchedTcpListener](#matchedtcplistener) -- [Matcher](#matcher) +- [Matcher](#matcher-5) - [AggregateListener](#aggregatelistener) - [HttpResources](#httpresources) - [HttpFilterChain](#httpfilterchain) -- [VirtualHost](#virtualhost) -- [Route](#route) -- [RouteAction](#routeaction) +- [VirtualHost](#virtualhost-3) +- [Route](#route-4) +- [RouteAction](#routeaction-2) - [Destination](#destination) - [KubernetesServiceDestination](#kubernetesservicedestination) - [ConsulServiceDestination](#consulservicedestination) - [UpstreamGroup](#upstreamgroup) **Top-Level Resource** - [MultiDestination](#multidestination) - [WeightedDestination](#weighteddestination) -- [RedirectAction](#redirectaction) -- [RedirectResponseCode](#redirectresponsecode) -- [DirectResponseAction](#directresponseaction) +- [RedirectAction](#redirectaction-2) +- [RedirectResponseCode](#redirectresponsecode-2) +- [DirectResponseAction](#directresponseaction-2) - [SourceMetadata](#sourcemetadata) - [SourceRef](#sourceref) - [CustomEnvoyFilter](#customenvoyfilter) @@ -50,7 +50,7 @@ weight: 5 --- -### Proxy +### Proxy {#proxy} A Proxy is a container for the entire set of configuration that will to be applied to one or more Proxy instances. @@ -84,7 +84,7 @@ Node ID can be specified in Envoy with the `--service-node` flag, or in the Envo --- -### Listener +### Listener {#listener} Listeners define the address:port where the proxy will listen for incoming connections @@ -128,7 +128,7 @@ e.g. performing SSL termination, HTTP retries, and rate limiting. --- -### TcpListener +### TcpListener {#tcplistener} @@ -151,7 +151,7 @@ e.g. performing SSL termination, HTTP retries, and rate limiting. --- -### TcpHost +### TcpHost {#tcphost} @@ -172,7 +172,7 @@ e.g. performing SSL termination, HTTP retries, and rate limiting. --- -### TcpAction +### TcpAction {#tcpaction} Name of the destinations the gateway can route to. @@ -197,7 +197,7 @@ Note: the destination spec and subsets are not supported in this context and wil --- -### HttpListener +### HttpListener {#httplistener} Use this listener to configure proxy behavior for any HTTP-level features including defining routes (via virtual services). @@ -229,7 +229,7 @@ Some traffic policies can be configured to work both on the listener and virtual --- -### HybridListener +### HybridListener {#hybridlistener} @@ -246,7 +246,7 @@ Some traffic policies can be configured to work both on the listener and virtual --- -### MatchedListener +### MatchedListener {#matchedlistener} @@ -269,7 +269,7 @@ Some traffic policies can be configured to work both on the listener and virtual --- -### MatchedTcpListener +### MatchedTcpListener {#matchedtcplistener} @@ -288,7 +288,7 @@ Some traffic policies can be configured to work both on the listener and virtual --- -### Matcher +### Matcher {#matcher-5} @@ -313,7 +313,7 @@ Some traffic policies can be configured to work both on the listener and virtual --- -### AggregateListener +### AggregateListener {#aggregatelistener} An AggregateListener defines a set of Gloo configuration which will map to a unique set of FilterChains on a Listener @@ -335,7 +335,7 @@ An AggregateListener defines a set of Gloo configuration which will map to a uni --- -### HttpResources +### HttpResources {#httpresources} @@ -354,7 +354,7 @@ An AggregateListener defines a set of Gloo configuration which will map to a uni --- -### HttpFilterChain +### HttpFilterChain {#httpfilterchain} @@ -379,7 +379,7 @@ An AggregateListener defines a set of Gloo configuration which will map to a uni --- -### VirtualHost +### VirtualHost {#virtualhost-3} Virtual Hosts group an ordered list of routes under one or more domains. @@ -410,7 +410,7 @@ If a request is not matched to any virtual host or a route therein, the target p --- -### Route +### Route {#route-4} * @@ -443,7 +443,7 @@ Routes declare the entry points on virtual hosts and the action to take for matc --- -### RouteAction +### RouteAction {#routeaction-2} RouteActions are used to route matched requests to upstreams. @@ -469,7 +469,7 @@ RouteActions are used to route matched requests to upstreams. --- -### Destination +### Destination {#destination} Destinations define routable destinations for proxied requests. @@ -495,7 +495,7 @@ Destinations define routable destinations for proxied requests. --- -### KubernetesServiceDestination +### KubernetesServiceDestination {#kubernetesservicedestination} Identifies a port on a kubernetes service to route traffic to. @@ -515,7 +515,7 @@ Identifies a port on a kubernetes service to route traffic to. --- -### ConsulServiceDestination +### ConsulServiceDestination {#consulservicedestination} Identifies a [Consul](https://www.consul.io/) [service](https://www.consul.io/docs/agent/services.html) to route traffic to. @@ -541,7 +541,7 @@ IP addresses and ports and load balance traffic between them. --- -### UpstreamGroup +### UpstreamGroup {#upstreamgroup} @@ -562,7 +562,7 @@ IP addresses and ports and load balance traffic between them. --- -### MultiDestination +### MultiDestination {#multidestination} MultiDestination is a container for a set of weighted destinations. Gloo will load balance traffic for a single @@ -581,7 +581,7 @@ route across multiple destinations according to their specified weights. --- -### WeightedDestination +### WeightedDestination {#weighteddestination} WeightedDestination attaches a weight to a single destination. @@ -603,7 +603,7 @@ WeightedDestination attaches a weight to a single destination. --- -### RedirectAction +### RedirectAction {#redirectaction-2} Notice: RedirectAction is copied directly from https://github.com/envoyproxy/envoy/blob/main/api/envoy/api/v2/route/route.proto @@ -635,7 +635,7 @@ Notice: RedirectAction is copied directly from https://github.com/envoyproxy/env --- -### RedirectResponseCode +### RedirectResponseCode {#redirectresponsecode-2} @@ -651,7 +651,7 @@ Notice: RedirectAction is copied directly from https://github.com/envoyproxy/env --- -### DirectResponseAction +### DirectResponseAction {#directresponseaction-2} DirectResponseAction is copied directly from https://github.com/envoyproxy/envoy/blob/main/api/envoy/api/v2/route/route.proto @@ -671,7 +671,7 @@ DirectResponseAction is copied directly from https://github.com/envoyproxy/envoy --- -### SourceMetadata +### SourceMetadata {#sourcemetadata} SourceMetadata is an internal message used to track ownership of nested proxy objects: @@ -692,7 +692,7 @@ SourceMetadata is an internal message used to track ownership of nested proxy ob --- -### SourceRef +### SourceRef {#sourceref} @@ -713,7 +713,7 @@ SourceMetadata is an internal message used to track ownership of nested proxy ob --- -### CustomEnvoyFilter +### CustomEnvoyFilter {#customenvoyfilter} CustomEnvoyFilter contains an arbitrary filter. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_configuration_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_configuration_options.proto.sk.md index bf4745795c1..e2bf7879a0e 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_configuration_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_configuration_options.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### RouteConfigurationOptions +### RouteConfigurationOptions {#routeconfigurationoptions} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_options.proto.sk.md index 3d035f7ea3c..f84946e2e2d 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/route_options.proto.sk.md @@ -24,7 +24,7 @@ weight: 5 --- -### RouteOptions +### RouteOptions {#routeoptions} Optional, feature-specific configuration that lives on routes. @@ -123,7 +123,7 @@ to be usable by Gloo. (plugins currently need to be compiled into Gloo) --- -### MaxStreamDuration +### MaxStreamDuration {#maxstreamduration} This is a 1:1 translation to the [Envoy API described here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routeaction-maxstreamduration) diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/secret.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/secret.proto.sk.md index 46899097061..59391cdb560 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/secret.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/secret.proto.sk.md @@ -29,7 +29,7 @@ weight: 5 --- -### Secret +### Secret {#secret} Certain features such as the AWS Lambda option require the use of secrets for authentication, configuration of SSL Certificates, and other data that should not be stored in plaintext configuration. @@ -74,7 +74,7 @@ Gloo's secret backend can be configured in Gloo's bootstrap options --- -### AwsSecret +### AwsSecret {#awssecret} There are two ways of providing AWS secrets: @@ -142,7 +142,7 @@ metadata: --- -### AzureSecret +### AzureSecret {#azuresecret} @@ -159,7 +159,7 @@ metadata: --- -### TlsSecret +### TlsSecret {#tlssecret} @@ -182,7 +182,7 @@ metadata: --- -### HeaderSecret +### HeaderSecret {#headersecret} @@ -199,7 +199,7 @@ metadata: --- -### AccountCredentialsSecret +### AccountCredentialsSecret {#accountcredentialssecret} Secret to represent any kind of a username/secretname and password/secret combination @@ -220,7 +220,7 @@ Used by LDAP auth to store service account credentials and by HMAC auth to keep --- -### EncryptionKeySecret +### EncryptionKeySecret {#encryptionkeysecret} Secret used for key encryption. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md index a37a0d3fce2..f66ee2952b2 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [Settings](#settings) **Top-Level Resource** +- [Settings](#settings-7) **Top-Level Resource** - [SecretOptions](#secretoptions) - [Source](#source) - [KubernetesCrds](#kubernetescrds) @@ -59,7 +59,7 @@ weight: 5 --- -### Settings +### Settings {#settings-7} Represents global settings for all the Gloo components. @@ -147,7 +147,7 @@ Represents global settings for all the Gloo components. --- -### SecretOptions +### SecretOptions {#secretoptions} @@ -164,7 +164,7 @@ Represents global settings for all the Gloo components. --- -### Source +### Source {#source} @@ -185,7 +185,7 @@ Represents global settings for all the Gloo components. --- -### KubernetesCrds +### KubernetesCrds {#kubernetescrds} Use Kubernetes CRDs as storage. @@ -201,7 +201,7 @@ Use Kubernetes CRDs as storage. --- -### KubernetesSecrets +### KubernetesSecrets {#kubernetessecrets} Use Kubernetes as storage for secret data. @@ -217,7 +217,7 @@ Use Kubernetes as storage for secret data. --- -### VaultSecrets +### VaultSecrets {#vaultsecrets} Use [HashiCorp Vault](https://www.vaultproject.io/) as storage for secret data. @@ -259,7 +259,7 @@ Use [HashiCorp Vault](https://www.vaultproject.io/) as storage for secret data. --- -### VaultAwsAuth +### VaultAwsAuth {#vaultawsauth} Configure Vault client to authenticate to server via AWS auth (IAM only). @@ -292,7 +292,7 @@ For more info see https://developer.hashicorp.com/vault/docs/auth/aws --- -### VaultTlsConfig +### VaultTlsConfig {#vaulttlsconfig} Settings to configure TLS-enabled Vault as a secret store @@ -320,7 +320,7 @@ Settings to configure TLS-enabled Vault as a secret store --- -### ConsulKv +### ConsulKv {#consulkv} Use [HashiCorp Consul Key-Value](https://www.consul.io/api/kv.html/) as storage for config data. @@ -340,7 +340,7 @@ Configuration options for connecting to Consul can be configured in the Settings --- -### KubernetesConfigmaps +### KubernetesConfigmaps {#kubernetesconfigmaps} Use Kubernetes ConfigMaps as storage. @@ -356,7 +356,7 @@ Use Kubernetes ConfigMaps as storage. --- -### Directory +### Directory {#directory} As an alternative to Kubernetes CRDs, Gloo is able to store resources in a local file system. @@ -375,7 +375,7 @@ This option determines the root of the directory tree used to this end. --- -### KnativeOptions +### KnativeOptions {#knativeoptions} @@ -396,7 +396,7 @@ This option determines the root of the directory tree used to this end. --- -### DiscoveryOptions +### DiscoveryOptions {#discoveryoptions} @@ -417,7 +417,7 @@ This option determines the root of the directory tree used to this end. --- -### UdsOptions +### UdsOptions {#udsoptions} @@ -436,7 +436,7 @@ This option determines the root of the directory tree used to this end. --- -### FdsOptions +### FdsOptions {#fdsoptions} @@ -451,7 +451,7 @@ This option determines the root of the directory tree used to this end. --- -### FdsMode +### FdsMode {#fdsmode} Possible modes for running the function discovery service (FDS). FDS polls services in-cluster for Swagger @@ -468,7 +468,7 @@ FdsMode specifies what policy FDS will use when determining which services to po --- -### ConsulConfiguration +### ConsulConfiguration {#consulconfiguration} Provides overrides for the default configuration parameters used to connect to Consul. @@ -518,7 +518,7 @@ need to be set on the Gloo container. --- -### ServiceDiscoveryOptions +### ServiceDiscoveryOptions {#servicediscoveryoptions} service discovery options for Consul @@ -536,7 +536,7 @@ service discovery options for Consul --- -### ConsulUpstreamDiscoveryConfiguration +### ConsulUpstreamDiscoveryConfiguration {#consulupstreamdiscoveryconfiguration} Settings related to gloo's behavior when discovering consul services and creating @@ -569,7 +569,7 @@ upstreams to connect to those services and their instances. --- -### KubernetesConfiguration +### KubernetesConfiguration {#kubernetesconfiguration} Provides overrides for the default configuration parameters used to interact with Kubernetes. @@ -587,7 +587,7 @@ Provides overrides for the default configuration parameters used to interact wit --- -### RateLimits +### RateLimits {#ratelimits} @@ -606,7 +606,7 @@ Provides overrides for the default configuration parameters used to interact wit --- -### ObservabilityOptions +### ObservabilityOptions {#observabilityoptions} @@ -625,7 +625,7 @@ Provides overrides for the default configuration parameters used to interact wit --- -### GrafanaIntegration +### GrafanaIntegration {#grafanaintegration} Provides settings related to the observability pod's interactions with grafana @@ -647,7 +647,7 @@ Provides settings related to the observability pod's interactions with grafana --- -### MetricLabels +### MetricLabels {#metriclabels} @@ -664,7 +664,7 @@ Provides settings related to the observability pod's interactions with grafana --- -### LabelSelector +### LabelSelector {#labelselector} A label selector requirement is a selector that contains values, a key, and an operator that @@ -687,7 +687,7 @@ Ref: https://github.com/kubernetes/apimachinery/blob/f7615f37d717297aca511014784 --- -### LabelSelectorRequirement +### LabelSelectorRequirement {#labelselectorrequirement} A label selector requirement is a selector that contains values, a key, and an operator that @@ -712,7 +712,7 @@ Ref: https://github.com/kubernetes/apimachinery/blob/f7615f37d717297aca511014784 --- -### UpstreamOptions +### UpstreamOptions {#upstreamoptions} Default configuration to use for upstreams, when not provided by a specific upstream @@ -733,7 +733,7 @@ When these properties are defined on a specific upstream, this configuration wil --- -### GlooOptions +### GlooOptions {#gloooptions} Settings specific to the gloo (Envoy xDS server) controller @@ -787,7 +787,7 @@ Settings specific to the gloo (Envoy xDS server) controller --- -### AWSOptions +### AWSOptions {#awsoptions} @@ -812,7 +812,7 @@ Settings specific to the gloo (Envoy xDS server) controller --- -### InvalidConfigPolicy +### InvalidConfigPolicy {#invalidconfigpolicy} Policy for how Gloo should handle invalid config @@ -835,7 +835,7 @@ Policy for how Gloo should handle invalid config --- -### IstioOptions +### IstioOptions {#istiooptions} @@ -856,7 +856,7 @@ Policy for how Gloo should handle invalid config --- -### VirtualServiceOptions +### VirtualServiceOptions {#virtualserviceoptions} Default configuration to use for VirtualServices, when not provided by a specific virtual service @@ -875,7 +875,7 @@ When these properties are defined on a specific VirtualService, this configurati --- -### GatewayOptions +### GatewayOptions {#gatewayoptions} Settings specific to the Gateway controller @@ -911,7 +911,7 @@ Settings specific to the Gateway controller --- -### ValidationOptions +### ValidationOptions {#validationoptions} options for configuring admission control / validation @@ -951,7 +951,7 @@ options for configuring admission control / validation --- -### ConsoleOptions +### ConsoleOptions {#consoleoptions} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -967,7 +967,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### GraphqlOptions +### GraphqlOptions {#graphqloptions} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields @@ -983,7 +983,7 @@ DEPRECATED: This message is deprecated and has been removed from use as of gloo --- -### SchemaChangeValidationOptions +### SchemaChangeValidationOptions {#schemachangevalidationoptions} DEPRECATED: This message is deprecated and has been removed from use as of gloo 1.20. Message is being kept to prevent future use of these names and fields diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/ssl/ssl.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/ssl/ssl.proto.sk.md index 06e9a59d591..77f9ae9b338 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/ssl/ssl.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/ssl/ssl.proto.sk.md @@ -16,10 +16,10 @@ weight: 5 - [SSLFiles](#sslfiles) - [UpstreamSslConfig](#upstreamsslconfig) - [SDSConfig](#sdsconfig) -- [CallCredentials](#callcredentials) +- [CallCredentials](#callcredentials-1) - [FileCredentialSource](#filecredentialsource) -- [SslParameters](#sslparameters) -- [ProtocolVersion](#protocolversion) +- [SslParameters](#sslparameters-1) +- [ProtocolVersion](#protocolversion-1) @@ -31,7 +31,7 @@ weight: 5 --- -### SslConfig +### SslConfig {#sslconfig} SslConfig contains the options necessary to configure a virtual host or listener to use TLS termination @@ -69,7 +69,7 @@ SslConfig contains the options necessary to configure a virtual host or listener --- -### OcspStaplePolicy +### OcspStaplePolicy {#ocspstaplepolicy} @@ -83,7 +83,7 @@ SslConfig contains the options necessary to configure a virtual host or listener --- -### SSLFiles +### SSLFiles {#sslfiles} SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem @@ -107,7 +107,7 @@ SSLFiles reference paths to certificates which can be read by the proxy off of i --- -### UpstreamSslConfig +### UpstreamSslConfig {#upstreamsslconfig} SslConfig contains the options necessary to configure an upstream to use TLS origination @@ -141,7 +141,7 @@ SslConfig contains the options necessary to configure an upstream to use TLS ori --- -### SDSConfig +### SDSConfig {#sdsconfig} @@ -166,7 +166,7 @@ SslConfig contains the options necessary to configure an upstream to use TLS ori --- -### CallCredentials +### CallCredentials {#callcredentials-1} @@ -183,7 +183,7 @@ SslConfig contains the options necessary to configure an upstream to use TLS ori --- -### FileCredentialSource +### FileCredentialSource {#filecredentialsource} @@ -202,7 +202,7 @@ SslConfig contains the options necessary to configure an upstream to use TLS ori --- -### SslParameters +### SslParameters {#sslparameters-1} General TLS parameters. See the [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters) @@ -227,7 +227,7 @@ for more information on the meaning of these values. --- -### ProtocolVersion +### ProtocolVersion {#protocolversion-1} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/subset.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/subset.proto.sk.md index cf3e077e4fc..c6d4e79ac1f 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/subset.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/subset.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [Subset](#subset) +- [Subset](#subset-1) @@ -23,7 +23,7 @@ weight: 5 --- -### Subset +### Subset {#subset-1} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/tcp_listener_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/tcp_listener_options.proto.sk.md index 41d99bd8caf..366507273ad 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/tcp_listener_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/tcp_listener_options.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### TcpListenerOptions +### TcpListenerOptions {#tcplisteneroptions} Optional, feature-specific configuration that lives on tcp listeners diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/upstream.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/upstream.proto.sk.md index dd629940368..8fd50607e65 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/upstream.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/upstream.proto.sk.md @@ -14,7 +14,7 @@ weight: 5 - [Upstream](#upstream) **Top-Level Resource** - [ClusterProtocolSelection](#clusterprotocolselection) - [DiscoveryMetadata](#discoverymetadata) -- [HeaderValue](#headervalue) +- [HeaderValue](#headervalue-3) - [PreconnectPolicy](#preconnectpolicy) @@ -27,7 +27,7 @@ weight: 5 --- -### Upstream +### Upstream {#upstream} Upstreams represent destination for routing HTTP requests. Upstreams can be compared to @@ -114,7 +114,7 @@ Each upstream type is handled by a corresponding Gloo plugin. (plugins currently --- -### ClusterProtocolSelection +### ClusterProtocolSelection {#clusterprotocolselection} @@ -127,7 +127,7 @@ Each upstream type is handled by a corresponding Gloo plugin. (plugins currently --- -### DiscoveryMetadata +### DiscoveryMetadata {#discoverymetadata} created by discovery services @@ -145,7 +145,7 @@ created by discovery services --- -### HeaderValue +### HeaderValue {#headervalue-3} Header name/value pair. @@ -165,7 +165,7 @@ Header name/value pair. --- -### PreconnectPolicy +### PreconnectPolicy {#preconnectpolicy} diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/virtual_host_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/virtual_host_options.proto.sk.md index 79282575fde..e3e723b429c 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/virtual_host_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/virtual_host_options.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### VirtualHostOptions +### VirtualHostOptions {#virtualhostoptions} Optional, feature-specific configuration that lives on virtual hosts. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/weighted_destination_options.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/weighted_destination_options.proto.sk.md index d7b13f2329a..468d62f7c03 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/weighted_destination_options.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/weighted_destination_options.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### WeightedDestinationOptions +### WeightedDestinationOptions {#weighteddestinationoptions} Optional, feature-specific configuration that is applied when a specific weighted destination diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/ingress.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/ingress.proto.sk.md index 57b8395b7dc..26895d7b63a 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/ingress.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/ingress.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### Ingress +### Ingress {#ingress} A simple wrapper for a Kubernetes Ingress Object. diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/service.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/service.proto.sk.md index 7020773c35c..b3e14798cd6 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/service.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/ingress/api/v1/service.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### KubeService +### KubeService {#kubeservice} A simple wrapper for a Kubernetes Service Object. diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/any.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/any.proto.sk.md index a1741779b8f..f33005d719e 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/any.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/any.proto.sk.md @@ -55,7 +55,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Any +### Any {#any} `Any` contains an arbitrary serialized protocol buffer message along with a diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/api.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/api.proto.sk.md index 5d4d02a3637..6d715cef6b9 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/api.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/api.proto.sk.md @@ -57,7 +57,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Api +### Api {#api} Api is a light-weight descriptor for an API Interface. @@ -95,7 +95,7 @@ detailed terminology. --- -### Method +### Method {#method} Method represents a method of an API interface. @@ -125,7 +125,7 @@ Method represents a method of an API interface. --- -### Mixin +### Mixin {#mixin} Declares an API Interface to be included in this interface. The including diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/descriptor.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/descriptor.proto.sk.md index 12440695676..0bd9a08b939 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/descriptor.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/descriptor.proto.sk.md @@ -57,7 +57,7 @@ without any other information (e.g. without reading its imports). - [ReservedRange](#reservedrange) - [ExtensionRangeOptions](#extensionrangeoptions) - [FieldDescriptorProto](#fielddescriptorproto) -- [Type](#type) +- [Type](#type-12) - [Label](#label) - [OneofDescriptorProto](#oneofdescriptorproto) - [EnumDescriptorProto](#enumdescriptorproto) @@ -94,7 +94,7 @@ without any other information (e.g. without reading its imports). --- -### FileDescriptorSet +### FileDescriptorSet {#filedescriptorset} The protocol compiler can output a FileDescriptorSet containing the .proto @@ -113,7 +113,7 @@ files it parses. --- -### FileDescriptorProto +### FileDescriptorProto {#filedescriptorproto} Describes a complete .proto file. @@ -153,7 +153,7 @@ Describes a complete .proto file. --- -### DescriptorProto +### DescriptorProto {#descriptorproto} Describes a message type. @@ -189,7 +189,7 @@ Describes a message type. --- -### ExtensionRange +### ExtensionRange {#extensionrange} @@ -210,7 +210,7 @@ Describes a message type. --- -### ReservedRange +### ReservedRange {#reservedrange} Range of reserved tag numbers. Reserved tag numbers may not be used by @@ -232,7 +232,7 @@ not overlap. --- -### ExtensionRangeOptions +### ExtensionRangeOptions {#extensionrangeoptions} @@ -249,7 +249,7 @@ not overlap. --- -### FieldDescriptorProto +### FieldDescriptorProto {#fielddescriptorproto} Describes a field within a message. @@ -287,7 +287,7 @@ Describes a field within a message. --- -### Type +### Type {#type-12} @@ -316,7 +316,7 @@ Describes a field within a message. --- -### Label +### Label {#label} @@ -330,7 +330,7 @@ Describes a field within a message. --- -### OneofDescriptorProto +### OneofDescriptorProto {#oneofdescriptorproto} Describes a oneof. @@ -350,7 +350,7 @@ Describes a oneof. --- -### EnumDescriptorProto +### EnumDescriptorProto {#enumdescriptorproto} Describes an enum type. @@ -376,7 +376,7 @@ Describes an enum type. --- -### EnumReservedRange +### EnumReservedRange {#enumreservedrange} Range of reserved numeric values. Reserved values may not be used by @@ -401,7 +401,7 @@ domain. --- -### EnumValueDescriptorProto +### EnumValueDescriptorProto {#enumvaluedescriptorproto} Describes a value within an enum. @@ -423,7 +423,7 @@ Describes a value within an enum. --- -### ServiceDescriptorProto +### ServiceDescriptorProto {#servicedescriptorproto} Describes a service. @@ -445,7 +445,7 @@ Describes a service. --- -### MethodDescriptorProto +### MethodDescriptorProto {#methoddescriptorproto} Describes a method of a service. @@ -473,7 +473,7 @@ Describes a method of a service. --- -### FileOptions +### FileOptions {#fileoptions} @@ -530,7 +530,7 @@ Describes a method of a service. --- -### OptimizeMode +### OptimizeMode {#optimizemode} Generated classes can be optimized for speed or code size. @@ -545,7 +545,7 @@ Generated classes can be optimized for speed or code size. --- -### MessageOptions +### MessageOptions {#messageoptions} @@ -570,7 +570,7 @@ Generated classes can be optimized for speed or code size. --- -### FieldOptions +### FieldOptions {#fieldoptions} @@ -599,7 +599,7 @@ Generated classes can be optimized for speed or code size. --- -### CType +### CType {#ctype} @@ -613,7 +613,7 @@ Generated classes can be optimized for speed or code size. --- -### JSType +### JSType {#jstype} @@ -627,7 +627,7 @@ Generated classes can be optimized for speed or code size. --- -### OneofOptions +### OneofOptions {#oneofoptions} @@ -644,7 +644,7 @@ Generated classes can be optimized for speed or code size. --- -### EnumOptions +### EnumOptions {#enumoptions} @@ -665,7 +665,7 @@ Generated classes can be optimized for speed or code size. --- -### EnumValueOptions +### EnumValueOptions {#enumvalueoptions} @@ -684,7 +684,7 @@ Generated classes can be optimized for speed or code size. --- -### ServiceOptions +### ServiceOptions {#serviceoptions} @@ -703,7 +703,7 @@ Generated classes can be optimized for speed or code size. --- -### MethodOptions +### MethodOptions {#methodoptions} @@ -724,7 +724,7 @@ Generated classes can be optimized for speed or code size. --- -### IdempotencyLevel +### IdempotencyLevel {#idempotencylevel} Is this method side-effect-free (or safe in HTTP parlance), or idempotent, @@ -741,7 +741,7 @@ methods, and PUT verb for idempotent methods instead of the default POST. --- -### UninterpretedOption +### UninterpretedOption {#uninterpretedoption} A message representing a option the parser does not recognize. This only @@ -776,7 +776,7 @@ in them. --- -### NamePart +### NamePart {#namepart} The name of the uninterpreted option. Each string represents a segment in @@ -800,7 +800,7 @@ E.g.,{ ["foo", false], ["bar.baz", true], ["qux", false] } represents --- -### SourceCodeInfo +### SourceCodeInfo {#sourcecodeinfo} Encapsulates information about the original source file from which a @@ -819,7 +819,7 @@ FileDescriptorProto was generated. --- -### Location +### Location {#location} @@ -844,7 +844,7 @@ FileDescriptorProto was generated. --- -### GeneratedCodeInfo +### GeneratedCodeInfo {#generatedcodeinfo} Describes the relationship between generated code and its original source @@ -864,7 +864,7 @@ source file, but may contain references to different source .proto files. --- -### Annotation +### Annotation {#annotation} diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/duration.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/duration.proto.sk.md index 6aa06ca6caf..db5359c52b6 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/duration.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/duration.proto.sk.md @@ -55,7 +55,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Duration +### Duration {#duration} A Duration represents a signed, fixed-length span of time represented diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/empty.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/empty.proto.sk.md index 84fd1068ab2..6efb36decca 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/empty.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/empty.proto.sk.md @@ -55,7 +55,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Empty +### Empty {#empty} A generic empty message that you can re-use to avoid defining duplicated diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/field_mask.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/field_mask.proto.sk.md index 797e9d6c2ba..6bb956ef5fb 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/field_mask.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/field_mask.proto.sk.md @@ -55,7 +55,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### FieldMask +### FieldMask {#fieldmask} `FieldMask` represents a set of symbolic field paths, for example: diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/source_context.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/source_context.proto.sk.md index 94ef3b9938c..572fe4063b0 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/source_context.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/source_context.proto.sk.md @@ -55,7 +55,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### SourceContext +### SourceContext {#sourcecontext} `SourceContext` represents information about the source of a diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/struct.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/struct.proto.sk.md index 1fb3103d262..b76a8369bab 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/struct.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/struct.proto.sk.md @@ -44,7 +44,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - [Struct](#struct) -- [Value](#value) +- [Value](#value-1) - [ListValue](#listvalue) @@ -64,7 +64,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Struct +### Struct {#struct} `Struct` represents a structured data value, consisting of fields @@ -89,7 +89,7 @@ The JSON representation for `Struct` is JSON object. --- -### Value +### Value {#value-1} `Value` represents a dynamically typed value which can be either @@ -122,7 +122,7 @@ The JSON representation for `Value` is JSON value. --- -### ListValue +### ListValue {#listvalue} `ListValue` is a wrapper around a repeated field of values. @@ -141,7 +141,7 @@ The JSON representation for `ListValue` is JSON array. -### NullValue +### NullValue {#nullvalue} Description: `NullValue` is a singleton enumeration to represent the null value for the `Value` type union. diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/timestamp.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/timestamp.proto.sk.md index 898fe7fe111..784be7fe52c 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/timestamp.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/timestamp.proto.sk.md @@ -55,7 +55,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Timestamp +### Timestamp {#timestamp} A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/type.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/type.proto.sk.md index de2f24b21e0..ce1c6970f1d 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/type.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/type.proto.sk.md @@ -43,11 +43,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. **Types:** -- [Type](#type) +- [Type](#type-13) - [Field](#field) -- [Kind](#kind) +- [Kind](#kind-1) - [Cardinality](#cardinality) -- [Enum](#enum) +- [Enum](#enum-1) - [EnumValue](#enumvalue) - [Option](#option) @@ -68,7 +68,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- -### Type +### Type {#type-13} A protocol buffer message type. @@ -96,7 +96,7 @@ A protocol buffer message type. --- -### Field +### Field {#field} A single field of a message type. @@ -132,7 +132,7 @@ A single field of a message type. --- -### Kind +### Kind {#kind-1} Basic field types. @@ -163,7 +163,7 @@ Basic field types. --- -### Cardinality +### Cardinality {#cardinality} Whether a field is optional, required, or repeated. @@ -179,7 +179,7 @@ Whether a field is optional, required, or repeated. --- -### Enum +### Enum {#enum-1} Enum type definition. @@ -205,7 +205,7 @@ Enum type definition. --- -### EnumValue +### EnumValue {#enumvalue} Enum value definition. @@ -227,7 +227,7 @@ Enum value definition. --- -### Option +### Option {#option} A protocol buffer option, which can be attached to a message, field, @@ -247,7 +247,7 @@ enumeration, etc. -### Syntax +### Syntax {#syntax} Description: The syntax in which a protocol buffer element is defined. diff --git a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/wrappers.proto.sk.md b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/wrappers.proto.sk.md index ca278673d52..f75a79d818b 100644 --- a/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/wrappers.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/protoc-gen-ext/external/google/protobuf/wrappers.proto.sk.md @@ -72,7 +72,7 @@ individual entries of a map or fields of a oneof can already detect presence. --- -### DoubleValue +### DoubleValue {#doublevalue} Wrapper message for `double`. @@ -92,7 +92,7 @@ The JSON representation for `DoubleValue` is JSON number. --- -### FloatValue +### FloatValue {#floatvalue} Wrapper message for `float`. @@ -112,7 +112,7 @@ The JSON representation for `FloatValue` is JSON number. --- -### Int64Value +### Int64Value {#int64value} Wrapper message for `int64`. @@ -132,7 +132,7 @@ The JSON representation for `Int64Value` is JSON string. --- -### UInt64Value +### UInt64Value {#uint64value} Wrapper message for `uint64`. @@ -152,7 +152,7 @@ The JSON representation for `UInt64Value` is JSON string. --- -### Int32Value +### Int32Value {#int32value} Wrapper message for `int32`. @@ -172,7 +172,7 @@ The JSON representation for `Int32Value` is JSON number. --- -### UInt32Value +### UInt32Value {#uint32value} Wrapper message for `uint32`. @@ -192,7 +192,7 @@ The JSON representation for `UInt32Value` is JSON number. --- -### BoolValue +### BoolValue {#boolvalue} Wrapper message for `bool`. @@ -212,7 +212,7 @@ The JSON representation for `BoolValue` is JSON `true` and `false`. --- -### StringValue +### StringValue {#stringvalue} Wrapper message for `string`. @@ -232,7 +232,7 @@ The JSON representation for `StringValue` is JSON string. --- -### BytesValue +### BytesValue {#bytesvalue} Wrapper message for `bytes`. diff --git a/docs/content/reference/api/github.com/solo-io/skv2/api/core/v1/core.proto.sk.md b/docs/content/reference/api/github.com/solo-io/skv2/api/core/v1/core.proto.sk.md index d77e91ec87e..a3a599aa97f 100644 --- a/docs/content/reference/api/github.com/solo-io/skv2/api/core/v1/core.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/skv2/api/core/v1/core.proto.sk.md @@ -16,11 +16,11 @@ weight: 5 - [ClusterObjectRef](#clusterobjectref) - [TypedObjectRef](#typedobjectref) - [TypedClusterObjectRef](#typedclusterobjectref) -- [Status](#status) +- [Status](#status-1) - [State](#state) - [ObjectSelector](#objectselector) -- [Expression](#expression) -- [Operator](#operator) +- [Expression](#expression-3) +- [Operator](#operator-3) - [PolicyTargetReference](#policytargetreference) - [PolicyTargetReferenceWithSectionName](#policytargetreferencewithsectionname) @@ -34,7 +34,7 @@ weight: 5 --- -### ObjectRef +### ObjectRef {#objectref} Resource reference for an object @@ -54,7 +54,7 @@ Resource reference for an object --- -### ObjectRefList +### ObjectRefList {#objectreflist} Object providing a list of object refs. @@ -73,7 +73,7 @@ Used to store lists of refs inside a map. --- -### ClusterObjectRef +### ClusterObjectRef {#clusterobjectref} Resource reference for a cross-cluster-scoped object @@ -95,7 +95,7 @@ Resource reference for a cross-cluster-scoped object --- -### TypedObjectRef +### TypedObjectRef {#typedobjectref} Resource reference for a typed object @@ -119,7 +119,7 @@ Resource reference for a typed object --- -### TypedClusterObjectRef +### TypedClusterObjectRef {#typedclusterobjectref} Resource reference for a typed, cross-cluster-scoped object @@ -145,7 +145,7 @@ Resource reference for a typed, cross-cluster-scoped object --- -### Status +### Status {#status-1} A generic status @@ -171,7 +171,7 @@ A generic status --- -### State +### State {#state} The State of a reconciled object @@ -188,7 +188,7 @@ The State of a reconciled object --- -### ObjectSelector +### ObjectSelector {#objectselector} Select K8s Objects by namespace, labels, or both. @@ -210,7 +210,7 @@ Select K8s Objects by namespace, labels, or both. --- -### Expression +### Expression {#expression-3} @@ -231,7 +231,7 @@ Select K8s Objects by namespace, labels, or both. --- -### Operator +### Operator {#operator-3} Object Selector expression operator, while the set-based syntax differs from Kubernetes (kubernetes: `key: !mylabel`, gloo: `key: mylabel, operator: "!"` | kubernetes: `key: mylabel`, gloo: `key: mylabel, operator: exists`), the functionality remains the same. @@ -252,7 +252,7 @@ Object Selector expression operator, while the set-based syntax differs from Kub --- -### PolicyTargetReference +### PolicyTargetReference {#policytargetreference} PolicyTargetReference identifies Gateway API objects to directly apply policy to. @@ -281,7 +281,7 @@ See the following for more information: --- -### PolicyTargetReferenceWithSectionName +### PolicyTargetReferenceWithSectionName {#policytargetreferencewithsectionname} PolicyTargetReferenceWithSectionName identifies Gateway API objects, and optionally a specific section of those objects, to directly apply policy to. diff --git a/docs/content/reference/api/github.com/solo-io/skv2/api/multicluster/v1alpha1/cluster.proto.sk.md b/docs/content/reference/api/github.com/solo-io/skv2/api/multicluster/v1alpha1/cluster.proto.sk.md index f890062c7e8..adaa76fe21a 100644 --- a/docs/content/reference/api/github.com/solo-io/skv2/api/multicluster/v1alpha1/cluster.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/skv2/api/multicluster/v1alpha1/cluster.proto.sk.md @@ -27,7 +27,7 @@ weight: 5 --- -### KubernetesClusterSpec +### KubernetesClusterSpec {#kubernetesclusterspec} Representation of a Kubernetes cluster that has been registered. @@ -49,7 +49,7 @@ Representation of a Kubernetes cluster that has been registered. --- -### ProviderInfo +### ProviderInfo {#providerinfo} Metadata for clusters provisioned from cloud providers. @@ -67,7 +67,7 @@ Metadata for clusters provisioned from cloud providers. --- -### Eks +### Eks {#eks} AWS metadata associated with an EKS provisioned cluster. @@ -91,7 +91,7 @@ AWS metadata associated with an EKS provisioned cluster. --- -### KubernetesClusterStatus +### KubernetesClusterStatus {#kubernetesclusterstatus} @@ -112,7 +112,7 @@ AWS metadata associated with an EKS provisioned cluster. --- -### PolicyRule +### PolicyRule {#policyrule} Copy pasted from the official kubernetes definition: diff --git a/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/core/v1/placement.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/core/v1/placement.proto.sk.md index 1357d1e6b4b..d2c2cae0d94 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/core/v1/placement.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/core/v1/placement.proto.sk.md @@ -14,8 +14,8 @@ weight: 5 - [TemplateMetadata](#templatemetadata) - [PlacementStatus](#placementstatus) - [Namespace](#namespace) -- [Cluster](#cluster) -- [State](#state) +- [Cluster](#cluster-1) +- [State](#state-1) @@ -27,7 +27,7 @@ weight: 5 --- -### TemplateMetadata +### TemplateMetadata {#templatemetadata} Object Metadata to be written with the resource into the remote cluster @@ -49,7 +49,7 @@ Object Metadata to be written with the resource into the remote cluster --- -### PlacementStatus +### PlacementStatus {#placementstatus} @@ -74,7 +74,7 @@ Object Metadata to be written with the resource into the remote cluster --- -### Namespace +### Namespace {#namespace} @@ -93,7 +93,7 @@ Object Metadata to be written with the resource into the remote cluster --- -### Cluster +### Cluster {#cluster-1} @@ -110,7 +110,7 @@ Object Metadata to be written with the resource into the remote cluster --- -### State +### State {#state-1} diff --git a/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/failover.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/failover.proto.sk.md index c7e493ccef1..c108342ba35 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/failover.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/failover.proto.sk.md @@ -15,8 +15,8 @@ weight: 5 - [FailoverEndpoints](#failoverendpoints) - [LocalityLbTargets](#localitylbtargets) - [FailoverSchemeStatus](#failoverschemestatus) -- [Status](#status) -- [State](#state) +- [Status](#status-2) +- [State](#state-2) @@ -28,7 +28,7 @@ weight: 5 --- -### FailoverSchemeSpec +### FailoverSchemeSpec {#failoverschemespec} FailoverSpec is the core portion of the API for enabling failover between Gloo Upstreams in gloo-fed. @@ -81,7 +81,7 @@ namespace: two --- -### FailoverEndpoints +### FailoverEndpoints {#failoverendpoints} @@ -98,7 +98,7 @@ namespace: two --- -### LocalityLbTargets +### LocalityLbTargets {#localitylbtargets} @@ -119,7 +119,7 @@ namespace: two --- -### FailoverSchemeStatus +### FailoverSchemeStatus {#failoverschemestatus} @@ -144,7 +144,7 @@ namespace: two --- -### Status +### Status {#status-2} @@ -167,7 +167,7 @@ namespace: two --- -### State +### State {#state-2} The State of a reconciled object diff --git a/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/instance.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/instance.proto.sk.md index 67685fcb22b..1f47b657ce7 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/instance.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-apis/api/gloo-fed/fed/v1/instance.proto.sk.md @@ -12,15 +12,15 @@ weight: 5 - [GlooInstanceSpec](#glooinstancespec) -- [ControlPlane](#controlplane) -- [Proxy](#proxy) +- [ControlPlane](#controlplane-1) +- [Proxy](#proxy-1) - [IngressEndpoint](#ingressendpoint) - [Port](#port) - [WorkloadController](#workloadcontroller) - [Admin](#admin) - [Check](#check) - [Summary](#summary) -- [ResourceReport](#resourcereport) +- [ResourceReport](#resourcereport-1) - [GlooInstanceStatus](#glooinstancestatus) @@ -33,7 +33,7 @@ weight: 5 --- -### GlooInstanceSpec +### GlooInstanceSpec {#glooinstancespec} @@ -62,7 +62,7 @@ weight: 5 --- -### ControlPlane +### ControlPlane {#controlplane-1} @@ -83,7 +83,7 @@ weight: 5 --- -### Proxy +### Proxy {#proxy-1} @@ -120,7 +120,7 @@ weight: 5 --- -### IngressEndpoint +### IngressEndpoint {#ingressendpoint} @@ -141,7 +141,7 @@ weight: 5 --- -### Port +### Port {#port} @@ -160,7 +160,7 @@ weight: 5 --- -### WorkloadController +### WorkloadController {#workloadcontroller} @@ -174,7 +174,7 @@ weight: 5 --- -### Admin +### Admin {#admin} @@ -193,7 +193,7 @@ weight: 5 --- -### Check +### Check {#check} Check describes the status of the objects powering the GlooInstance. @@ -235,7 +235,7 @@ Check describes the status of the objects powering the GlooInstance. --- -### Summary +### Summary {#summary} Summary provides aggregate information for a given resource type. @@ -257,7 +257,7 @@ Summary provides aggregate information for a given resource type. --- -### ResourceReport +### ResourceReport {#resourcereport-1} A ResourceReport references an object and provides a status message. @@ -277,7 +277,7 @@ A ResourceReport references an object and provides a status message. --- -### GlooInstanceStatus +### GlooInstanceStatus {#glooinstancestatus} diff --git a/docs/content/reference/api/github.com/solo-io/solo-apis/api/rate-limiter/v1alpha1/ratelimit.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-apis/api/rate-limiter/v1alpha1/ratelimit.proto.sk.md index bd73e75970f..a8795a72154 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-apis/api/rate-limiter/v1alpha1/ratelimit.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-apis/api/rate-limiter/v1alpha1/ratelimit.proto.sk.md @@ -14,29 +14,29 @@ weight: 5 - [RateLimitConfigSpec](#ratelimitconfigspec) - [Raw](#raw) - [RateLimitConfigStatus](#ratelimitconfigstatus) -- [State](#state) +- [State](#state-3) - [RateLimitConfigNamespacedStatuses](#ratelimitconfignamespacedstatuses) - [Descriptor](#descriptor) - [SetDescriptor](#setdescriptor) - [SimpleDescriptor](#simpledescriptor) - [RateLimitActions](#ratelimitactions) -- [RateLimit](#ratelimit) +- [RateLimit](#ratelimit-2) - [Unit](#unit) -- [Action](#action) -- [SourceCluster](#sourcecluster) -- [DestinationCluster](#destinationcluster) -- [RequestHeaders](#requestheaders) -- [RemoteAddress](#remoteaddress) -- [GenericKey](#generickey) -- [HeaderValueMatch](#headervaluematch) -- [HeaderMatcher](#headermatcher) -- [Int64Range](#int64range) -- [MetaData](#metadata) -- [MetadataKey](#metadatakey) -- [PathSegment](#pathsegment) -- [Source](#source) -- [Override](#override) -- [DynamicMetadata](#dynamicmetadata) +- [Action](#action-5) +- [SourceCluster](#sourcecluster-2) +- [DestinationCluster](#destinationcluster-2) +- [RequestHeaders](#requestheaders-2) +- [RemoteAddress](#remoteaddress-2) +- [GenericKey](#generickey-2) +- [HeaderValueMatch](#headervaluematch-2) +- [HeaderMatcher](#headermatcher-3) +- [Int64Range](#int64range-3) +- [MetaData](#metadata-2) +- [MetadataKey](#metadatakey-1) +- [PathSegment](#pathsegment-4) +- [Source](#source-1) +- [Override](#override-1) +- [DynamicMetadata](#dynamicmetadata-2) @@ -48,7 +48,7 @@ weight: 5 --- -### RateLimitConfigSpec +### RateLimitConfigSpec {#ratelimitconfigspec} A `RateLimitConfig` describes a rate limit policy. @@ -66,7 +66,7 @@ A `RateLimitConfig` describes a rate limit policy. --- -### Raw +### Raw {#raw} This object allows users to specify rate limit policies using the raw configuration formats @@ -92,7 +92,7 @@ collisions between raw configurations defined on separate `RateLimitConfig` reso --- -### RateLimitConfigStatus +### RateLimitConfigStatus {#ratelimitconfigstatus} The current status of the `RateLimitConfig`. @@ -114,7 +114,7 @@ The current status of the `RateLimitConfig`. --- -### State +### State {#state-3} @@ -128,7 +128,7 @@ The current status of the `RateLimitConfig`. --- -### RateLimitConfigNamespacedStatuses +### RateLimitConfigNamespacedStatuses {#ratelimitconfignamespacedstatuses} @@ -145,7 +145,7 @@ The current status of the `RateLimitConfig`. --- -### Descriptor +### Descriptor {#descriptor} A descriptor is a list of key/value pairs that the rate limit server uses to select @@ -193,7 +193,7 @@ Otherwise, nested descriptors allow more complex matching and rate limiting scen --- -### SetDescriptor +### SetDescriptor {#setdescriptor} A setDescriptor is a list of key/value pairs that the rate limit server uses to select @@ -238,7 +238,7 @@ The `rate_limit` block sets up an actual rate limit rule. --- -### SimpleDescriptor +### SimpleDescriptor {#simpledescriptor} A simpleDescriptor is a list of key/value pairs that the rate limit server uses to select @@ -271,7 +271,7 @@ a more specific match. --- -### RateLimitActions +### RateLimitActions {#ratelimitactions} Each action and setAction in the lists maps part of the request (or its context) to a descriptor. The tuple or set of descriptors @@ -357,7 +357,7 @@ setDescriptors: --- -### RateLimit +### RateLimit {#ratelimit-2} A `RateLimit` specifies the actual rate limit that will be used when there is a match. @@ -377,7 +377,7 @@ A `RateLimit` specifies the actual rate limit that will be used when there is a --- -### Unit +### Unit {#unit} @@ -393,7 +393,7 @@ A `RateLimit` specifies the actual rate limit that will be used when there is a --- -### Action +### Action {#action-5} Copied directly from envoy @@ -424,7 +424,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_compone --- -### SourceCluster +### SourceCluster {#sourcecluster-2} The following descriptor entry is appended to the descriptor: @@ -446,7 +446,7 @@ The following descriptor entry is appended to the descriptor: --- -### DestinationCluster +### DestinationCluster {#destinationcluster-2} The following descriptor entry is appended to the descriptor: @@ -477,7 +477,7 @@ settings: --- -### RequestHeaders +### RequestHeaders {#requestheaders-2} The following descriptor entry is appended when a header contains a key that matches the @@ -502,7 +502,7 @@ The following descriptor entry is appended when a header contains a key that mat --- -### RemoteAddress +### RemoteAddress {#remoteaddress-2} The following descriptor entry is appended to the descriptor and is populated using the @@ -523,7 +523,7 @@ trusted address from `x-forwarded-for (config_http_conn_man_headers_x-forwarded- --- -### GenericKey +### GenericKey {#generickey-2} The following descriptor entry is appended to the descriptor: @@ -545,7 +545,7 @@ The following descriptor entry is appended to the descriptor: --- -### HeaderValueMatch +### HeaderValueMatch {#headervaluematch-2} The following descriptor entry is appended to the descriptor: @@ -571,7 +571,7 @@ The following descriptor entry is appended to the descriptor: --- -### HeaderMatcher +### HeaderMatcher {#headermatcher-3} @@ -602,7 +602,7 @@ The following descriptor entry is appended to the descriptor: --- -### Int64Range +### Int64Range {#int64range-3} Specifies the int64 start and end of the range using half-open interval semantics [start, @@ -623,7 +623,7 @@ end). --- -### MetaData +### MetaData {#metadata-2} The following descriptor entry is appended when the metadata contains a key value: @@ -648,7 +648,7 @@ The following descriptor entry is appended when the metadata contains a key valu --- -### MetadataKey +### MetadataKey {#metadatakey-1} MetadataKey provides a general interface using `key` and `path` to retrieve value from @@ -689,7 +689,7 @@ path: --- -### PathSegment +### PathSegment {#pathsegment-4} Specifies the segment in a path to retrieve value from Metadata. @@ -708,7 +708,7 @@ Currently it is only supported to specify the key, i.e. field name, as one segme --- -### Source +### Source {#source-1} @@ -721,7 +721,7 @@ Currently it is only supported to specify the key, i.e. field name, as one segme --- -### Override +### Override {#override-1} Copied directly from envoy @@ -740,7 +740,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_compone --- -### DynamicMetadata +### DynamicMetadata {#dynamicmetadata-2} Fetches the override from the dynamic metadata. diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/address.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/address.proto.sk.md index 728d315bb7a..56d05f9d30c 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/address.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/address.proto.sk.md @@ -11,13 +11,13 @@ weight: 5 **Types:** -- [Pipe](#pipe) -- [SocketAddress](#socketaddress) -- [Protocol](#protocol) -- [TcpKeepalive](#tcpkeepalive) -- [BindConfig](#bindconfig) -- [Address](#address) -- [CidrRange](#cidrrange) +- [Pipe](#pipe-1) +- [SocketAddress](#socketaddress-1) +- [Protocol](#protocol-1) +- [TcpKeepalive](#tcpkeepalive-2) +- [BindConfig](#bindconfig-1) +- [Address](#address-1) +- [CidrRange](#cidrrange-3) @@ -29,7 +29,7 @@ weight: 5 --- -### Pipe +### Pipe {#pipe-1} @@ -48,7 +48,7 @@ weight: 5 --- -### SocketAddress +### SocketAddress {#socketaddress-1} [#next-free-field: 7] @@ -76,7 +76,7 @@ weight: 5 --- -### Protocol +### Protocol {#protocol-1} @@ -89,7 +89,7 @@ weight: 5 --- -### TcpKeepalive +### TcpKeepalive {#tcpkeepalive-2} @@ -110,7 +110,7 @@ weight: 5 --- -### BindConfig +### BindConfig {#bindconfig-1} @@ -131,7 +131,7 @@ weight: 5 --- -### Address +### Address {#address-1} Addresses specify either a logical or physical address and port, which are @@ -153,7 +153,7 @@ management servers. --- -### CidrRange +### CidrRange {#cidrrange-3} CidrRange specifies an IP Address and a prefix length to construct diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/base.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/base.proto.sk.md index 5ec54675623..3e1244e1664 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/base.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/base.proto.sk.md @@ -11,22 +11,22 @@ weight: 5 **Types:** -- [Locality](#locality) -- [BuildVersion](#buildversion) -- [Extension](#extension) -- [Node](#node) -- [Metadata](#metadata) -- [RuntimeUInt32](#runtimeuint32) -- [RuntimeFeatureFlag](#runtimefeatureflag) -- [HeaderValue](#headervalue) -- [HeaderValueOption](#headervalueoption) -- [HeaderMap](#headermap) -- [DataSource](#datasource) -- [RemoteDataSource](#remotedatasource) -- [AsyncDataSource](#asyncdatasource) -- [TransportSocket](#transportsocket) -- [RuntimeFractionalPercent](#runtimefractionalpercent) -- [ControlPlane](#controlplane) +- [Locality](#locality-2) +- [BuildVersion](#buildversion-1) +- [Extension](#extension-2) +- [Node](#node-1) +- [Metadata](#metadata-3) +- [RuntimeUInt32](#runtimeuint32-1) +- [RuntimeFeatureFlag](#runtimefeatureflag-1) +- [HeaderValue](#headervalue-4) +- [HeaderValueOption](#headervalueoption-3) +- [HeaderMap](#headermap-1) +- [DataSource](#datasource-1) +- [RemoteDataSource](#remotedatasource-1) +- [AsyncDataSource](#asyncdatasource-1) +- [TransportSocket](#transportsocket-1) +- [RuntimeFractionalPercent](#runtimefractionalpercent-1) +- [ControlPlane](#controlplane-2) @@ -34,9 +34,9 @@ weight: 5 **Enums:** - - [RoutingPriority](#routingpriority) - - [RequestMethod](#requestmethod) - - [TrafficDirection](#trafficdirection) + - [RoutingPriority](#routingpriority-1) + - [RequestMethod](#requestmethod-1) + - [TrafficDirection](#trafficdirection-1) @@ -47,7 +47,7 @@ weight: 5 --- -### Locality +### Locality {#locality-2} Identifies location of where either Envoy runs or where upstream hosts run. @@ -69,7 +69,7 @@ Identifies location of where either Envoy runs or where upstream hosts run. --- -### BuildVersion +### BuildVersion {#buildversion-1} BuildVersion combines SemVer version of extension with free-form build information @@ -90,7 +90,7 @@ BuildVersion combines SemVer version of extension with free-form build informati --- -### Extension +### Extension {#extension-2} Version and identification for an Envoy extension. @@ -117,7 +117,7 @@ Version and identification for an Envoy extension. --- -### Node +### Node {#node-1} Identifies a specific Envoy instance. The node identifier is presented to the @@ -158,7 +158,7 @@ configuration for serving. --- -### Metadata +### Metadata {#metadata-3} Metadata provides additional inputs to filters based on matched listeners, @@ -196,7 +196,7 @@ this purpose: --- -### RuntimeUInt32 +### RuntimeUInt32 {#runtimeuint32-1} Runtime derived uint32 with a default when not specified. @@ -216,7 +216,7 @@ Runtime derived uint32 with a default when not specified. --- -### RuntimeFeatureFlag +### RuntimeFeatureFlag {#runtimefeatureflag-1} Runtime derived bool with a default when not specified. @@ -236,7 +236,7 @@ Runtime derived bool with a default when not specified. --- -### HeaderValue +### HeaderValue {#headervalue-4} Header name/value pair. @@ -256,7 +256,7 @@ Header name/value pair. --- -### HeaderValueOption +### HeaderValueOption {#headervalueoption-3} Header name/value pair plus option to control append behavior. @@ -278,7 +278,7 @@ Header name/value pair plus option to control append behavior. --- -### HeaderMap +### HeaderMap {#headermap-1} Wrapper for a set of headers. @@ -296,7 +296,7 @@ Wrapper for a set of headers. --- -### DataSource +### DataSource {#datasource-1} Data source consisting of either a file or an inline value. @@ -318,7 +318,7 @@ Data source consisting of either a file or an inline value. --- -### RemoteDataSource +### RemoteDataSource {#remotedatasource-1} The message specifies how to fetch data from remote and how to verify it. @@ -338,7 +338,7 @@ The message specifies how to fetch data from remote and how to verify it. --- -### AsyncDataSource +### AsyncDataSource {#asyncdatasource-1} Async data source which support async data fetch. @@ -358,7 +358,7 @@ Async data source which support async data fetch. --- -### TransportSocket +### TransportSocket {#transportsocket-1} Configuration for transport socket in `listeners (config_listeners)` and @@ -383,7 +383,7 @@ chosen based on the platform and existence of tls_context. --- -### RuntimeFractionalPercent +### RuntimeFractionalPercent {#runtimefractionalpercent-1} Runtime derived FractionalPercent with defaults for when the numerator or denominator is not @@ -404,7 +404,7 @@ specified via a runtime key. --- -### ControlPlane +### ControlPlane {#controlplane-2} Identifies a specific ControlPlane instance that Envoy is connected to. @@ -421,7 +421,7 @@ Identifies a specific ControlPlane instance that Envoy is connected to. -### RoutingPriority +### RoutingPriority {#routingpriority-1} Description: Envoy supports `upstream priority routing (arch_overview_http_routing_priority)` both at the route and the virtual @@ -436,7 +436,7 @@ over a single upstream connection. | DEFAULT | | | HIGH | | -### RequestMethod +### RequestMethod {#requestmethod-1} Description: HTTP request method. @@ -453,7 +453,7 @@ Description: HTTP request method. | TRACE | | | PATCH | | -### TrafficDirection +### TrafficDirection {#trafficdirection-1} Description: Identifies the direction of the traffic relative to the local Envoy. diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/http_uri.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/http_uri.proto.sk.md index f20aa195ed9..32162749e5b 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/http_uri.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/http_uri.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [HttpUri](#httpuri) +- [HttpUri](#httpuri-1) @@ -23,7 +23,7 @@ weight: 5 --- -### HttpUri +### HttpUri {#httpuri-1} Envoy external URI descriptor diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/socket_option.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/socket_option.proto.sk.md index 8af318c82a0..1f86dc02c30 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/socket_option.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/core/socket_option.proto.sk.md @@ -11,8 +11,8 @@ weight: 5 **Types:** -- [SocketOption](#socketoption) -- [SocketState](#socketstate) +- [SocketOption](#socketoption-1) +- [SocketState](#socketstate-1) @@ -24,7 +24,7 @@ weight: 5 --- -### SocketOption +### SocketOption {#socketoption-1} Generic socket option message. This would be used to set socket options that @@ -54,7 +54,7 @@ might not exist in upstream kernels or precompiled Envoy binaries. --- -### SocketState +### SocketState {#socketstate-1} diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/discovery.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/discovery.proto.sk.md index bbcfdaac833..ceea9866d50 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/discovery.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/api/v2/discovery.proto.sk.md @@ -15,7 +15,7 @@ weight: 5 - [DiscoveryResponse](#discoveryresponse) - [DeltaDiscoveryRequest](#deltadiscoveryrequest) - [DeltaDiscoveryResponse](#deltadiscoveryresponse) -- [Resource](#resource) +- [Resource](#resource-1) @@ -27,7 +27,7 @@ weight: 5 --- -### DiscoveryRequest +### DiscoveryRequest {#discoveryrequest} A DiscoveryRequest requests a set of versioned resources of the same type for @@ -56,7 +56,7 @@ a given Envoy node on some API. --- -### DiscoveryResponse +### DiscoveryResponse {#discoveryresponse} @@ -83,7 +83,7 @@ a given Envoy node on some API. --- -### DeltaDiscoveryRequest +### DeltaDiscoveryRequest {#deltadiscoveryrequest} DeltaDiscoveryRequest and DeltaDiscoveryResponse are used in a new gRPC @@ -144,7 +144,7 @@ initial_resource_versions. --- -### DeltaDiscoveryResponse +### DeltaDiscoveryResponse {#deltadiscoveryresponse} @@ -169,7 +169,7 @@ initial_resource_versions. --- -### Resource +### Resource {#resource-1} diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/percent.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/percent.proto.sk.md index be25eda3e1a..8ece7828277 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/percent.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/percent.proto.sk.md @@ -11,9 +11,9 @@ weight: 5 **Types:** -- [Percent](#percent) -- [FractionalPercent](#fractionalpercent) -- [DenominatorType](#denominatortype) +- [Percent](#percent-1) +- [FractionalPercent](#fractionalpercent-1) +- [DenominatorType](#denominatortype-1) @@ -25,7 +25,7 @@ weight: 5 --- -### Percent +### Percent {#percent-1} Identifies a percentage, in the range [0.0, 100.0]. @@ -43,7 +43,7 @@ Identifies a percentage, in the range [0.0, 100.0]. --- -### FractionalPercent +### FractionalPercent {#fractionalpercent-1} A fractional percentage is used in cases in which for performance reasons performing floating @@ -68,7 +68,7 @@ both a numerator and denominator that together determine the final fractional va --- -### DenominatorType +### DenominatorType {#denominatortype-1} Fraction percentages support several fixed denominator values. diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/semantic_version.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/semantic_version.proto.sk.md index 08faea26f42..0ef32d3359b 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/semantic_version.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/envoy/type/semantic_version.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [SemanticVersion](#semanticversion) +- [SemanticVersion](#semanticversion-1) @@ -23,7 +23,7 @@ weight: 5 --- -### SemanticVersion +### SemanticVersion {#semanticversion-1} Envoy uses SemVer (https://semver.org/). Major/minor versions indicate diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/api/http.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/api/http.proto.sk.md index 9b08990aa50..7f1b2c39794 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/api/http.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/api/http.proto.sk.md @@ -41,7 +41,7 @@ limitations under the License. --- -### Http +### Http {#http} Defines the HTTP configuration for an API service. It contains a list of @@ -63,7 +63,7 @@ to one or more HTTP REST API methods. --- -### HttpRule +### HttpRule {#httprule} `HttpRule` defines the mapping of an RPC method to one or more HTTP @@ -313,7 +313,7 @@ repeated fields or map fields. --- -### CustomHttpPattern +### CustomHttpPattern {#customhttppattern} A custom pattern is used for defining custom HTTP verb. diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/rpc/status.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/rpc/status.proto.sk.md index 23cc34ce13b..b7aeafa221d 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/rpc/status.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/google/rpc/status.proto.sk.md @@ -27,7 +27,7 @@ limitations under the License. **Types:** -- [Status](#status) +- [Status](#status-3) @@ -39,7 +39,7 @@ limitations under the License. --- -### Status +### Status {#status-3} The `Status` type defines a logical error model that is suitable for different diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/metrics.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/metrics.proto.sk.md index 652607ae062..7e215f8992f 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/metrics.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/metrics.proto.sk.md @@ -30,7 +30,7 @@ limitations under the License. - [Gauge](#gauge) - [Counter](#counter) - [Quantile](#quantile) -- [Summary](#summary) +- [Summary](#summary-1) - [Untyped](#untyped) - [Histogram](#histogram) - [Bucket](#bucket) @@ -54,7 +54,7 @@ limitations under the License. --- -### LabelPair +### LabelPair {#labelpair} @@ -73,7 +73,7 @@ limitations under the License. --- -### Gauge +### Gauge {#gauge} @@ -90,7 +90,7 @@ limitations under the License. --- -### Counter +### Counter {#counter} @@ -107,7 +107,7 @@ limitations under the License. --- -### Quantile +### Quantile {#quantile} @@ -126,7 +126,7 @@ limitations under the License. --- -### Summary +### Summary {#summary-1} @@ -147,7 +147,7 @@ limitations under the License. --- -### Untyped +### Untyped {#untyped} @@ -164,7 +164,7 @@ limitations under the License. --- -### Histogram +### Histogram {#histogram} @@ -185,7 +185,7 @@ limitations under the License. --- -### Bucket +### Bucket {#bucket} @@ -204,7 +204,7 @@ limitations under the License. --- -### Metric +### Metric {#metric} @@ -233,7 +233,7 @@ limitations under the License. --- -### MetricFamily +### MetricFamily {#metricfamily} @@ -255,7 +255,7 @@ limitations under the License. -### MetricType +### MetricType {#metrictype} Description: diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/trace.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/trace.proto.sk.md index 39de7336bf9..3dd7645a0e3 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/trace.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/external/trace.proto.sk.md @@ -30,15 +30,15 @@ limitations under the License. - [Span](#span) - [Attributes](#attributes) - [TimeEvent](#timeevent) -- [Annotation](#annotation) +- [Annotation](#annotation-1) - [MessageEvent](#messageevent) -- [Type](#type) +- [Type](#type-14) - [TimeEvents](#timeevents) - [Link](#link) -- [Type](#type) +- [Type](#type-15) - [Links](#links) - [SpanKind](#spankind) -- [Status](#status) +- [Status](#status-4) - [AttributeValue](#attributevalue) - [StackTrace](#stacktrace) - [StackFrame](#stackframe) @@ -56,7 +56,7 @@ limitations under the License. --- -### Span +### Span {#span} A span represents a single operation within a trace. Spans can be @@ -108,7 +108,7 @@ TODO(bdrutu): Add an example. --- -### Attributes +### Attributes {#attributes} A set of attributes, each with a key and a value. @@ -128,7 +128,7 @@ A set of attributes, each with a key and a value. --- -### TimeEvent +### TimeEvent {#timeevent} A time-stamped annotation or message event in the Span. @@ -150,7 +150,7 @@ A time-stamped annotation or message event in the Span. --- -### Annotation +### Annotation {#annotation-1} A text annotation with a set of attributes. @@ -170,7 +170,7 @@ A text annotation with a set of attributes. --- -### MessageEvent +### MessageEvent {#messageevent} An event describing a message sent/received between Spans. @@ -194,7 +194,7 @@ An event describing a message sent/received between Spans. --- -### Type +### Type {#type-14} Indicates whether the message was sent or received. @@ -209,7 +209,7 @@ Indicates whether the message was sent or received. --- -### TimeEvents +### TimeEvents {#timeevents} A collection of `TimeEvent`s. A `TimeEvent` is a time-stamped annotation @@ -233,7 +233,7 @@ details of a message sent/received between Spans. --- -### Link +### Link {#link} A pointer from the current span to another span in the same trace or in a @@ -260,7 +260,7 @@ traces or when the handler receives a request from a different project. --- -### Type +### Type {#type-15} The relationship of the current span relative to the linked span: child, @@ -276,7 +276,7 @@ parent, or unspecified. --- -### Links +### Links {#links} A collection of links, which are references from this span to a span @@ -297,7 +297,7 @@ in the same or different trace. --- -### SpanKind +### SpanKind {#spankind} Type of span. Can be used to specify additional relationships between spans @@ -313,7 +313,7 @@ in addition to a parent/child relationship. --- -### Status +### Status {#status-4} The `Status` type defines a logical error model that is suitable for different @@ -337,7 +337,7 @@ which is used by [gRPC](https://github.com/grpc). --- -### AttributeValue +### AttributeValue {#attributevalue} The value of an Attribute. @@ -359,7 +359,7 @@ The value of an Attribute. --- -### StackTrace +### StackTrace {#stacktrace} The call stack which originated this span. @@ -379,7 +379,7 @@ The call stack which originated this span. --- -### StackFrame +### StackFrame {#stackframe} A single stack frame in a stack trace. @@ -409,7 +409,7 @@ A single stack frame in a stack trace. --- -### StackFrames +### StackFrames {#stackframes} A collection of stack frames, which can be truncated. @@ -429,7 +429,7 @@ A collection of stack frames, which can be truncated. --- -### Module +### Module {#module} A description of a binary module. @@ -449,7 +449,7 @@ A description of a binary module. --- -### TruncatableString +### TruncatableString {#truncatablestring} A string that might be shortened to a specified length. diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/metadata.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/metadata.proto.sk.md index 1bd61d33cdb..2da245c65d0 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/metadata.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/metadata.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [Metadata](#metadata) +- [Metadata](#metadata-4) - [OwnerReference](#ownerreference) @@ -24,7 +24,7 @@ weight: 5 --- -### Metadata +### Metadata {#metadata-4} * @@ -57,7 +57,7 @@ Metadata contains general properties of resources for purposes of versioning, an --- -### OwnerReference +### OwnerReference {#ownerreference} proto message representing kubernertes owner reference diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/ref.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/ref.proto.sk.md index f672f9c63d9..ecac980ebc7 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/ref.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/ref.proto.sk.md @@ -23,7 +23,7 @@ weight: 5 --- -### ResourceRef +### ResourceRef {#resourceref} A way to reference resources across namespaces diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/solo-kit.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/solo-kit.proto.sk.md index 7f7ae90b99f..59e3851f17a 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/solo-kit.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/solo-kit.proto.sk.md @@ -11,7 +11,7 @@ weight: 5 **Types:** -- [Resource](#resource) +- [Resource](#resource-2) @@ -23,7 +23,7 @@ weight: 5 --- -### Resource +### Resource {#resource-2} diff --git a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/status.proto.sk.md b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/status.proto.sk.md index 6e77964a9de..a596aca579b 100644 --- a/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/status.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/solo-kit/api/v1/status.proto.sk.md @@ -12,8 +12,8 @@ weight: 5 - [NamespacedStatuses](#namespacedstatuses) -- [Status](#status) -- [State](#state) +- [Status](#status-5) +- [State](#state-4) @@ -25,7 +25,7 @@ weight: 5 --- -### NamespacedStatuses +### NamespacedStatuses {#namespacedstatuses} * @@ -45,7 +45,7 @@ NamespacedStatuses are meant to be read-only by users --- -### Status +### Status {#status-5} * @@ -75,7 +75,7 @@ Statuses are meant to be read-only by users --- -### State +### State {#state-4} diff --git a/docs/content/reference/values.txt b/docs/content/reference/values.txt index d4403672ab9..b63dc36a787 100644 --- a/docs/content/reference/values.txt +++ b/docs/content/reference/values.txt @@ -183,6 +183,10 @@ |kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.secretKeyRef.name|string||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.secretKeyRef.key|string||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.secretKeyRef.optional|bool||| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.fileKeyRef.volumeName|string||| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.fileKeyRef.path|string||| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.fileKeyRef.key|string||| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.env[].valueFrom.fileKeyRef.optional|bool||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.ports[].name|string||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.ports[].hostPort|int32||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.ports[].containerPort|int32||| @@ -295,6 +299,10 @@ |settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.name|string||| |settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.key|string||| |settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|settings.integrations.knative.proxy.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|settings.integrations.knative.proxy.customEnv[].valueFrom.fileKeyRef.path|string||| +|settings.integrations.knative.proxy.customEnv[].valueFrom.fileKeyRef.key|string||| +|settings.integrations.knative.proxy.customEnv[].valueFrom.fileKeyRef.optional|bool||| |settings.integrations.knative.proxy.restartPolicy|string||restart policy to use when the pod exits| |settings.integrations.knative.proxy.priorityClassName|string||name of a defined priority class| |settings.integrations.knative.proxy.nodeName|string||name of node to run on| @@ -473,6 +481,10 @@ |gloo.deployment.customEnv[].valueFrom.secretKeyRef.name|string||| |gloo.deployment.customEnv[].valueFrom.secretKeyRef.key|string||| |gloo.deployment.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|gloo.deployment.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|gloo.deployment.customEnv[].valueFrom.fileKeyRef.path|string||| +|gloo.deployment.customEnv[].valueFrom.fileKeyRef.key|string||| +|gloo.deployment.customEnv[].valueFrom.fileKeyRef.optional|bool||| |gloo.deployment.restartPolicy|string||restart policy to use when the pod exits| |gloo.deployment.priorityClassName|string||name of a defined priority class| |gloo.deployment.nodeName|string||name of node to run on| @@ -602,6 +614,10 @@ |discovery.deployment.customEnv[].valueFrom.secretKeyRef.name|string||| |discovery.deployment.customEnv[].valueFrom.secretKeyRef.key|string||| |discovery.deployment.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|discovery.deployment.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|discovery.deployment.customEnv[].valueFrom.fileKeyRef.path|string||| +|discovery.deployment.customEnv[].valueFrom.fileKeyRef.key|string||| +|discovery.deployment.customEnv[].valueFrom.fileKeyRef.optional|bool||| |discovery.deployment.restartPolicy|string||restart policy to use when the pod exits| |discovery.deployment.priorityClassName|string||name of a defined priority class| |discovery.deployment.nodeName|string||name of node to run on| @@ -874,6 +890,10 @@ |gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.name|string||| |gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.key|string||| |gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fileKeyRef.path|string||| +|gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fileKeyRef.key|string||| +|gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fileKeyRef.optional|bool||| |gatewayProxies.NAME.kind.deployment.restartPolicy|string||restart policy to use when the pod exits| |gatewayProxies.NAME.kind.deployment.priorityClassName|string||name of a defined priority class| |gatewayProxies.NAME.kind.deployment.nodeName|string||name of node to run on| @@ -1129,6 +1149,10 @@ |gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.name|string||| |gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.key|string||| |gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fileKeyRef.path|string||| +|gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fileKeyRef.key|string||| +|gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fileKeyRef.optional|bool||| |gatewayProxies.gatewayProxy.kind.deployment.restartPolicy|string||restart policy to use when the pod exits| |gatewayProxies.gatewayProxy.kind.deployment.priorityClassName|string||name of a defined priority class| |gatewayProxies.gatewayProxy.kind.deployment.nodeName|string||name of node to run on| @@ -1429,6 +1453,10 @@ |ingress.deployment.customEnv[].valueFrom.secretKeyRef.name|string||| |ingress.deployment.customEnv[].valueFrom.secretKeyRef.key|string||| |ingress.deployment.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|ingress.deployment.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|ingress.deployment.customEnv[].valueFrom.fileKeyRef.path|string||| +|ingress.deployment.customEnv[].valueFrom.fileKeyRef.key|string||| +|ingress.deployment.customEnv[].valueFrom.fileKeyRef.optional|bool||| |ingress.deployment.restartPolicy|string||restart policy to use when the pod exits| |ingress.deployment.priorityClassName|string||name of a defined priority class| |ingress.deployment.nodeName|string||name of node to run on| @@ -1510,6 +1538,10 @@ |ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.name|string||| |ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.key|string||| |ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|ingressProxy.deployment.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|ingressProxy.deployment.customEnv[].valueFrom.fileKeyRef.path|string||| +|ingressProxy.deployment.customEnv[].valueFrom.fileKeyRef.key|string||| +|ingressProxy.deployment.customEnv[].valueFrom.fileKeyRef.optional|bool||| |ingressProxy.deployment.restartPolicy|string||restart policy to use when the pod exits| |ingressProxy.deployment.priorityClassName|string||name of a defined priority class| |ingressProxy.deployment.nodeName|string||name of node to run on| @@ -1609,6 +1641,10 @@ |accessLogger.customEnv[].valueFrom.secretKeyRef.name|string||| |accessLogger.customEnv[].valueFrom.secretKeyRef.key|string||| |accessLogger.customEnv[].valueFrom.secretKeyRef.optional|bool||| +|accessLogger.customEnv[].valueFrom.fileKeyRef.volumeName|string||| +|accessLogger.customEnv[].valueFrom.fileKeyRef.path|string||| +|accessLogger.customEnv[].valueFrom.fileKeyRef.key|string||| +|accessLogger.customEnv[].valueFrom.fileKeyRef.optional|bool||| |accessLogger.restartPolicy|string||restart policy to use when the pod exits| |accessLogger.priorityClassName|string||name of a defined priority class| |accessLogger.nodeName|string||name of node to run on| diff --git a/docs/content/static/content/osa_provided.md b/docs/content/static/content/osa_provided.md index 9f7ee2f5ba7..133ec3943cb 100644 --- a/docs/content/static/content/osa_provided.md +++ b/docs/content/static/content/osa_provided.md @@ -6,11 +6,11 @@ Name|Version|License [avast/retry-go](https://github.com/avast/retry-go)|v2.4.3+incompatible|MIT License [retry-go/v4](https://github.com/avast/retry-go)|v4.3.3|MIT License [aws/aws-sdk-go](https://github.com/aws/aws-sdk-go)|v1.34.9|Apache License 2.0 -[xds/go](https://github.com/cncf/xds)|v0.0.0-20250501225837-2ac532fd4443|Apache License 2.0 +[xds/go](https://github.com/cncf/xds)|v0.0.0-20251110193048-8bfbf64dc13e|Apache License 2.0 [cratonica/2goarray](https://github.com/cratonica/2goarray)|v0.0.0-20190331194516-514510793eaa|MIT License -[envoyproxy/go-control-plane](https://github.com/envoyproxy/go-control-plane)|v0.13.5-0.20251015221300-4138018a492b|Apache License 2.0 +[envoyproxy/go-control-plane](https://github.com/envoyproxy/go-control-plane)|v0.14.0|Apache License 2.0 [go-control-plane/contrib](https://github.com/envoyproxy/go-control-plane)|v1.32.5-0.20250627145903-197b96a9c7f8|Apache License 2.0 -[go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane)|v1.35.1-0.20251015221300-4138018a492b|Apache License 2.0 +[go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane)|v1.36.1-0.20251120180717-7c66c7f1d0b2|Apache License 2.0 [go-control-plane/ratelimit](https://github.com/envoyproxy/go-control-plane)|v0.1.1-0.20250507123352-93990c5ec02f|Apache License 2.0 [envoyproxy/protoc-gen-validate](https://github.com/envoyproxy/protoc-gen-validate)|v1.2.1|Apache License 2.0 [fatih/color](https://github.com/fatih/color)|v1.18.0|MIT License @@ -39,12 +39,12 @@ Name|Version|License [kelseyhightower/envconfig](https://github.com/kelseyhightower/envconfig)|v1.4.0|MIT License [go-httpbin/v2](https://github.com/mccutchen/go-httpbin)|v2.15.0|MIT License [olekukonko/tablewriter](https://github.com/olekukonko/tablewriter)|v0.0.5|MIT License -[ginkgo/v2](https://github.com/onsi/ginkgo)|v2.24.0|MIT License -[onsi/gomega](https://github.com/onsi/gomega)|v1.38.0|MIT License +[ginkgo/v2](https://github.com/onsi/ginkgo)|v2.27.2|MIT License +[onsi/gomega](https://github.com/onsi/gomega)|v1.38.2|MIT License [pkg/browser](https://github.com/pkg/browser)|v0.0.0-20180916011732-0a3d74bf9ce4|BSD 2-clause "Simplified" License [pkg/errors](https://github.com/pkg/errors)|v0.9.1|BSD 2-clause "Simplified" License [prometheus/client_model](https://github.com/prometheus/client_model)|v0.6.2|Apache License 2.0 -[prometheus/common](https://github.com/prometheus/common)|v0.65.0|Apache License 2.0 +[prometheus/common](https://github.com/prometheus/common)|v0.67.2|Apache License 2.0 [go-ruleguard/dsl](https://github.com/quasilyte/go-ruleguard)|v0.3.22|BSD 3-clause "New" or "Revised" License [rodaine/table](https://github.com/rodaine/table)|v1.3.0|MIT License [rotisserie/eris](https://github.com/rotisserie/eris)|v0.5.4|MIT License @@ -57,39 +57,40 @@ Name|Version|License [stoewer/go-strcase](https://github.com/stoewer/go-strcase)|v1.3.1|MIT License [stretchr/testify](https://github.com/stretchr/testify)|v1.11.1|MIT License [go.opencensus.io](https://go.opencensus.io)|v0.24.0|Apache License 2.0 -[proto/otlp](https://go.opentelemetry.io/proto/otlp)|v1.7.1|Apache License 2.0 +[proto/otlp](https://go.opentelemetry.io/proto/otlp)|v1.9.0|Apache License 2.0 [go.uber.org/goleak](https://go.uber.org/goleak)|v1.3.0|MIT License +[go.uber.org/mock](https://go.uber.org/mock)|v0.6.0|Apache License 2.0 [go.uber.org/multierr](https://go.uber.org/multierr)|v1.11.0|MIT License [go.uber.org/zap](https://go.uber.org/zap)|v1.27.0|MIT License -[x/crypto](https://golang.org/x/crypto)|v0.41.0|BSD 3-clause "New" or "Revised" License -[x/exp](https://golang.org/x/exp)|v0.0.0-20250506013437-ce4c2cf36ca6|BSD 3-clause "New" or "Revised" License -[x/mod](https://golang.org/x/mod)|v0.27.0|BSD 3-clause "New" or "Revised" License -[x/sync](https://golang.org/x/sync)|v0.16.0|BSD 3-clause "New" or "Revised" License -[x/tools](https://golang.org/x/tools)|v0.36.0|BSD 3-clause "New" or "Revised" License -[googleapis/api](https://google.golang.org/genproto/googleapis/api)|v0.0.0-20250811230008-5f3141c8851a|Apache License 2.0 -[googleapis/rpc](https://google.golang.org/genproto/googleapis/rpc)|v0.0.0-20250811230008-5f3141c8851a|Apache License 2.0 -[google.golang.org/grpc](https://google.golang.org/grpc)|v1.75.1|Apache License 2.0 +[x/crypto](https://golang.org/x/crypto)|v0.43.0|BSD 3-clause "New" or "Revised" License +[x/exp](https://golang.org/x/exp)|v0.0.0-20251017212417-90e834f514db|BSD 3-clause "New" or "Revised" License +[x/mod](https://golang.org/x/mod)|v0.29.0|BSD 3-clause "New" or "Revised" License +[x/sync](https://golang.org/x/sync)|v0.18.0|BSD 3-clause "New" or "Revised" License +[x/tools](https://golang.org/x/tools)|v0.38.0|BSD 3-clause "New" or "Revised" License +[googleapis/api](https://google.golang.org/genproto/googleapis/api)|v0.0.0-20251020155222-88f65dc88635|Apache License 2.0 +[googleapis/rpc](https://google.golang.org/genproto/googleapis/rpc)|v0.0.0-20251020155222-88f65dc88635|Apache License 2.0 +[google.golang.org/grpc](https://google.golang.org/grpc)|v1.76.0|Apache License 2.0 [google.golang.org/protobuf](https://google.golang.org/protobuf)|v1.36.10|BSD 3-clause "New" or "Revised" License [AlecAivazis/survey.v1](https://gopkg.in/AlecAivazis/survey.v1)|v1.8.7|MIT License [gopkg.in/yaml.v3](https://gopkg.in/yaml.v3)|v3.0.1|MIT License -[helm/v3](https://helm.sh/helm/v3)|v3.18.5|Apache License 2.0 -[istio.io/api](https://istio.io/api)|v1.27.0-beta.0.0.20250731082105-36763529c462|Apache License 2.0 -[istio.io/client-go](https://istio.io/client-go)|v1.27.0-beta.0.0.20250731082605-b098a6e566f4|Apache License 2.0 -[istio.io/istio](https://istio.io/istio)|v0.0.0-20250808040725-7359d8be2504|Apache License 2.0 -[k8s.io/api](https://k8s.io/api)|v0.33.1|Apache License 2.0 -[k8s.io/apiextensions-apiserver](https://k8s.io/apiextensions-apiserver)|v0.33.1|Apache License 2.0 -[k8s.io/apimachinery](https://k8s.io/apimachinery)|v0.33.1|Apache License 2.0 -[k8s.io/client-go](https://k8s.io/client-go)|v0.33.1|Apache License 2.0 -[k8s.io/code-generator](https://k8s.io/code-generator)|v0.33.1|Apache License 2.0 -[k8s.io/component-base](https://k8s.io/component-base)|v0.33.1|Apache License 2.0 -[k8s.io/kubectl](https://k8s.io/kubectl)|v0.33.1|Apache License 2.0 -[k8s.io/utils](https://k8s.io/utils)|v0.0.0-20240711033017-18e509b52bc8|Apache License 2.0 +[helm/v3](https://helm.sh/helm/v3)|v3.18.6|Apache License 2.0 +[istio.io/api](https://istio.io/api)|v1.28.0-alpha.0.0.20251210001900-ce7b5802387c|Apache License 2.0 +[istio.io/client-go](https://istio.io/client-go)|v1.28.0-alpha.0.0.20251210002059-b67694478a4b|Apache License 2.0 +[istio.io/istio](https://istio.io/istio)|v0.0.0-20251215222123-9eb419397d40|Apache License 2.0 +[k8s.io/api](https://k8s.io/api)|v0.34.2|Apache License 2.0 +[k8s.io/apiextensions-apiserver](https://k8s.io/apiextensions-apiserver)|v0.34.2|Apache License 2.0 +[k8s.io/apimachinery](https://k8s.io/apimachinery)|v0.34.2|Apache License 2.0 +[k8s.io/client-go](https://k8s.io/client-go)|v0.34.2|Apache License 2.0 +[k8s.io/code-generator](https://k8s.io/code-generator)|v0.34.2|Apache License 2.0 +[k8s.io/component-base](https://k8s.io/component-base)|v0.34.2|Apache License 2.0 +[k8s.io/kubectl](https://k8s.io/kubectl)|v0.34.2|Apache License 2.0 +[k8s.io/utils](https://k8s.io/utils)|v0.0.0-20250604170112-4c0f3b243397|Apache License 2.0 [knative.dev/networking](https://knative.dev/networking)|v0.0.0-20211210083629-bace06e98aee|Apache License 2.0 [knative.dev/pkg](https://knative.dev/pkg)|v0.0.0-20211206113427-18589ac7627e|Apache License 2.0 -[sigs.k8s.io/controller-runtime](https://sigs.k8s.io/controller-runtime)|v0.21.0|Apache License 2.0 -[sigs.k8s.io/controller-tools](https://sigs.k8s.io/controller-tools)|v0.18.0|Apache License 2.0 -[sigs.k8s.io/gateway-api](https://sigs.k8s.io/gateway-api)|v1.3.0|Apache License 2.0 -[structured-merge-diff/v4](https://sigs.k8s.io/structured-merge-diff/v4)|v4.7.0|Apache License 2.0 +[sigs.k8s.io/controller-runtime](https://sigs.k8s.io/controller-runtime)|v0.22.4|Apache License 2.0 +[sigs.k8s.io/controller-tools](https://sigs.k8s.io/controller-tools)|v0.19.0|Apache License 2.0 +[sigs.k8s.io/gateway-api](https://sigs.k8s.io/gateway-api)|v1.4.0|Apache License 2.0 +[structured-merge-diff/v6](https://sigs.k8s.io/structured-merge-diff/v6)|v6.3.0|Apache License 2.0 [sigs.k8s.io/yaml](https://sigs.k8s.io/yaml)|v1.6.0|MIT License [cmd/goimports](https://golang.org/x/tools/cmd/goimports)|latest|MIT License [gogo/protobuf](https://github.com/gogo/protobuf)|latest|MIT License diff --git a/go.mod b/go.mod index a1ba02e1edc..350245132de 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/solo-io/gloo -go 1.24.9 +go 1.25.5 // Note for developers: upgrading go will also require upgrading go in the following files: // ./cloudbuild-cache.yaml, @@ -10,11 +10,11 @@ require ( github.com/Netflix/go-expect v0.0.0-20180928190340-9d1f4485533b github.com/avast/retry-go v2.4.3+incompatible github.com/aws/aws-sdk-go v1.34.9 - github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 + github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e github.com/cratonica/2goarray v0.0.0-20190331194516-514510793eaa - github.com/envoyproxy/go-control-plane v0.13.5-0.20251015221300-4138018a492b + github.com/envoyproxy/go-control-plane v0.14.0 github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20250627145903-197b96a9c7f8 - github.com/envoyproxy/go-control-plane/envoy v1.35.1-0.20251015221300-4138018a492b + github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20251120180717-7c66c7f1d0b2 github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20250507123352-93990c5ec02f github.com/envoyproxy/protoc-gen-validate v1.2.1 github.com/form3tech-oss/jwt-go v3.2.5+incompatible @@ -42,25 +42,25 @@ require ( github.com/jhump/protoreflect v1.15.3 github.com/kelseyhightower/envconfig v1.4.0 github.com/olekukonko/tablewriter v0.0.5 - github.com/onsi/ginkgo/v2 v2.24.0 - github.com/onsi/gomega v1.38.0 + github.com/onsi/ginkgo/v2 v2.27.2 + github.com/onsi/gomega v1.38.2 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 github.com/pkg/errors v0.9.1 github.com/rotisserie/eris v0.5.4 github.com/saiskee/gettercheck v0.0.0-20210820204958-38443d06ebe0 github.com/sergi/go-diff v1.2.0 github.com/solo-io/go-list-licenses v0.1.4 - github.com/solo-io/go-utils v0.28.6 - github.com/solo-io/k8s-utils v0.11.1 + github.com/solo-io/go-utils v0.29.0 + github.com/solo-io/k8s-utils v0.12.0 github.com/solo-io/protoc-gen-ext v0.1.0 - github.com/solo-io/protoc-gen-openapi v0.3.0 - github.com/solo-io/skv2 v0.44.1 + github.com/solo-io/protoc-gen-openapi v0.4.0 + github.com/solo-io/skv2 v0.45.0 - // Pinned to the `k8s-1.33-bump` tag of solo-apis on `gloo-main` branch + // Pinned to the `k8s-1.34-bump` tag of solo-apis on `gloo-main` branch // Ref: https://github.com/solo-io/gloo/pull/9463/files#r1594409655 && https://solo-io-corp.slack.com/archives/C03MFATU265/p1716913420716729?thread_ts=1716476992.938679&cid=C03MFATU265 // as to why it is now based off `gloo-main` and not `gloo-repo-branch` - github.com/solo-io/solo-apis v0.0.0-20250616141238-dd7b8dbf6a9b - github.com/solo-io/solo-kit v0.39.2 + github.com/solo-io/solo-apis v0.0.0-20251212201919-e8dd072aea09 + github.com/solo-io/solo-kit v0.40.0 github.com/spf13/afero v1.14.0 github.com/spf13/cobra v1.9.1 github.com/spf13/pflag v1.0.7 @@ -69,24 +69,24 @@ require ( go.uber.org/goleak v1.3.0 go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.0 - golang.org/x/crypto v0.41.0 - golang.org/x/sync v0.16.0 - golang.org/x/tools v0.36.0 - google.golang.org/grpc v1.75.1 + golang.org/x/crypto v0.43.0 + golang.org/x/sync v0.18.0 + golang.org/x/tools v0.38.0 + google.golang.org/grpc v1.76.0 google.golang.org/protobuf v1.36.10 gopkg.in/AlecAivazis/survey.v1 v1.8.7 - helm.sh/helm/v3 v3.18.5 - k8s.io/api v0.33.4 - k8s.io/apiextensions-apiserver v0.33.4 - k8s.io/apimachinery v0.33.4 - k8s.io/client-go v0.33.4 - k8s.io/code-generator v0.33.4 - k8s.io/component-base v0.33.4 - k8s.io/kubectl v0.33.3 + helm.sh/helm/v3 v3.18.6 + k8s.io/api v0.34.2 + k8s.io/apiextensions-apiserver v0.34.2 + k8s.io/apimachinery v0.34.2 + k8s.io/client-go v0.34.2 + k8s.io/code-generator v0.34.2 + k8s.io/component-base v0.34.2 + k8s.io/kubectl v0.34.2 knative.dev/networking v0.0.0-20211210083629-bace06e98aee knative.dev/pkg v0.0.0-20211206113427-18589ac7627e - sigs.k8s.io/controller-runtime v0.21.0 - sigs.k8s.io/gateway-api v1.3.0 + sigs.k8s.io/controller-runtime v0.22.4 + sigs.k8s.io/gateway-api v1.4.0 sigs.k8s.io/yaml v1.6.0 ) @@ -95,41 +95,45 @@ require ( github.com/avast/retry-go/v4 v4.3.3 github.com/go-logr/zapr v1.3.0 github.com/golang-jwt/jwt/v4 v4.5.2 - github.com/golang/mock v1.7.0-rc.1 github.com/google/go-cmp v0.7.0 github.com/google/uuid v1.6.0 github.com/mccutchen/go-httpbin/v2 v2.15.0 github.com/prometheus/client_model v0.6.2 - github.com/prometheus/common v0.65.0 + github.com/prometheus/common v0.67.2 github.com/quasilyte/go-ruleguard/dsl v0.3.22 github.com/solo-io/cue v0.4.7 github.com/stoewer/go-strcase v1.3.1 github.com/stretchr/testify v1.11.1 - go.opentelemetry.io/proto/otlp v1.7.1 - golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 - golang.org/x/mod v0.27.0 - google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a - google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a - istio.io/api v1.27.0-beta.0.0.20250731082105-36763529c462 - istio.io/client-go v1.27.0-beta.0.0.20250731082605-b098a6e566f4 - istio.io/istio v0.0.0-20250808040725-7359d8be2504 - k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 - sigs.k8s.io/controller-tools v0.18.0 - sigs.k8s.io/structured-merge-diff/v4 v4.7.0 + go.opentelemetry.io/proto/otlp v1.9.0 + go.uber.org/mock v0.6.0 + golang.org/x/exp v0.0.0-20251017212417-90e834f514db + golang.org/x/mod v0.29.0 + google.golang.org/genproto/googleapis/api v0.0.0-20251020155222-88f65dc88635 + google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635 + istio.io/api v1.28.0-alpha.0.0.20251210001900-ce7b5802387c + istio.io/client-go v1.28.0-alpha.0.0.20251210002059-b67694478a4b + istio.io/istio v0.0.0-20251215222123-9eb419397d40 + k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + sigs.k8s.io/controller-tools v0.19.0 + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 ) require ( github.com/go-viper/mapstructure/v2 v2.4.0 // indirect - github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect - github.com/prometheus/client_golang v1.23.0 // indirect + github.com/golang/mock v1.7.0-rc.1 // indirect + github.com/grafana/regexp v0.0.0-20250905093917-f7b3be9d1853 // indirect + github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect + github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect + github.com/perimeterx/marshmallow v1.1.5 // indirect + github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f // indirect github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect - go.yaml.in/yaml/v3 v3.0.3 // indirect - golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect + github.com/ugorji/go/codec v1.2.12 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect oras.land/oras-go/v2 v2.6.0 // indirect - sigs.k8s.io/gateway-api-inference-extension v0.5.0 // indirect + sigs.k8s.io/gateway-api-inference-extension v1.1.0 // indirect ) require ( @@ -145,7 +149,7 @@ require ( github.com/Masterminds/sprig v2.22.0+incompatible // indirect github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect - github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect github.com/acomagu/bufpipe v1.0.3 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect @@ -167,7 +171,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/emicklei/go-restful/v3 v3.12.2 // indirect + github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/emicklei/proto v1.13.2 // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/evanphx/json-patch v5.9.11+incompatible // indirect @@ -176,9 +180,9 @@ require ( github.com/fatih/camelcase v1.0.0 // indirect github.com/fatih/color v1.18.0 github.com/fgrosse/zaptest v1.1.0 // indirect - github.com/fxamacker/cbor/v2 v2.8.0 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/gertd/go-pluralize v0.1.1 // indirect - github.com/getkin/kin-openapi v0.123.0 // indirect + github.com/getkin/kin-openapi v0.131.0 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-git/gcfg v1.5.0 // indirect github.com/go-git/go-billy/v5 v5.3.1 // indirect @@ -190,7 +194,7 @@ require ( github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.19.5 // indirect github.com/go-openapi/errors v0.19.2 // indirect - github.com/go-openapi/jsonpointer v0.21.1 // indirect + github.com/go-openapi/jsonpointer v0.21.2 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/runtime v0.19.5 // indirect github.com/go-openapi/strfmt v0.19.5 // indirect @@ -205,10 +209,9 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.3 // indirect github.com/google/cel-go v0.26.0 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-querystring v1.0.0 // indirect - github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a // indirect - github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect + github.com/google/pprof v0.0.0-20250923004556-9e5a51aed1e8 // indirect github.com/goph/emperror v0.17.1 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect github.com/gosuri/uitable v0.0.4 // indirect @@ -234,11 +237,10 @@ require ( github.com/huandu/xstrings v1.5.0 // indirect github.com/iancoleman/strcase v0.3.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/invopop/yaml v0.3.1 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jmespath/go-jmespath v0.3.0 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect - github.com/jonboulle/clockwork v0.4.0 // indirect + github.com/jonboulle/clockwork v0.5.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/k0kubun/pp v3.0.1+incompatible // indirect @@ -274,7 +276,7 @@ require ( github.com/moby/spdystream v0.5.0 // indirect github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect @@ -313,40 +315,40 @@ require ( github.com/yuin/goldmark v1.7.4 // indirect go.mongodb.org/mongo-driver v1.1.2 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/otel v1.37.0 // indirect + go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/exporters/prometheus v0.59.1 // indirect - go.opentelemetry.io/otel/metric v1.37.0 // indirect - go.opentelemetry.io/otel/sdk v1.37.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect - go.opentelemetry.io/otel/trace v1.37.0 // indirect + go.opentelemetry.io/otel/metric v1.38.0 // indirect + go.opentelemetry.io/otel/sdk v1.38.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect + go.opentelemetry.io/otel/trace v1.38.0 // indirect go.uber.org/atomic v1.11.0 // indirect - golang.org/x/net v0.43.0 // indirect - golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sys v0.35.0 // indirect - golang.org/x/term v0.34.0 // indirect - golang.org/x/text v0.28.0 // indirect - golang.org/x/time v0.12.0 // indirect + golang.org/x/net v0.46.0 // indirect + golang.org/x/oauth2 v0.32.0 // indirect + golang.org/x/sys v0.37.0 // indirect + golang.org/x/term v0.36.0 // indirect + golang.org/x/text v0.30.0 // indirect + golang.org/x/time v0.14.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 - k8s.io/apiserver v0.33.4 // indirect - k8s.io/cli-runtime v0.33.3 // indirect - k8s.io/component-helpers v0.33.3 // indirect + k8s.io/apiserver v0.34.2 // indirect + k8s.io/cli-runtime v0.34.2 // indirect + k8s.io/component-helpers v0.34.2 // indirect k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect - k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 // indirect + k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/metrics v0.33.1 // indirect - sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect - sigs.k8s.io/kustomize/api v0.19.0 // indirect - sigs.k8s.io/kustomize/kustomize/v5 v5.6.0 // indirect - sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect + k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect + k8s.io/metrics v0.34.2 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect + sigs.k8s.io/kustomize/api v0.20.1 // indirect + sigs.k8s.io/kustomize/kustomize/v5 v5.7.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect sigs.k8s.io/mcs-api v0.2.0 // indirect sigs.k8s.io/randfill v1.0.0 // indirect ) @@ -365,8 +367,7 @@ replace ( // https://github.com/fsnotify/fsnotify/issues/672 github.com/fsnotify/fsnotify => github.com/fsnotify/fsnotify v1.7.0 - // Pin this to a version compatible with protoc-gen-openapi - github.com/getkin/kin-openapi => github.com/getkin/kin-openapi v0.107.0 + // go.uber.org/mock => go.uber.org/mock v0.5.2 // Newer versions result in changes to the names of generated metrics // remove this when we fix https://github.com/solo-io/solo-kit/issues/516 @@ -381,22 +382,25 @@ replace ( // Required for proper serialization of CRDs github.com/renstrom/dedent => github.com/lithammer/dedent v1.0.0 - // Pin Kube libraries to v0.33.1 + // Pin this to a version compatible with protoc-gen-openapi + github.com/ugorji/go/codec => github.com/ugorji/go/codec v1.2.7 + + // Pin Kube libraries to v0.34.2 // These should be upgraded collectively - k8s.io/api => k8s.io/api v0.33.1 - k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.33.1 - k8s.io/apimachinery => k8s.io/apimachinery v0.33.1 - k8s.io/apiserver => k8s.io/apiserver v0.33.1 - k8s.io/cli-runtime => k8s.io/cli-runtime v0.33.1 - k8s.io/client-go => k8s.io/client-go v0.33.1 - k8s.io/code-generator => k8s.io/code-generator v0.33.1 - k8s.io/component-base => k8s.io/component-base v0.33.1 - k8s.io/component-helpers => k8s.io/component-helpers v0.33.1 - // version of kube-openapi used by client-go v0.33.1 - k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff - k8s.io/kubectl => k8s.io/kubectl v0.33.1 - k8s.io/metrics => k8s.io/metrics v0.33.1 - k8s.io/utils => k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 + k8s.io/api => k8s.io/api v0.34.2 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.34.2 + k8s.io/apimachinery => k8s.io/apimachinery v0.34.2 + k8s.io/apiserver => k8s.io/apiserver v0.34.2 + k8s.io/cli-runtime => k8s.io/cli-runtime v0.34.2 + k8s.io/client-go => k8s.io/client-go v0.34.2 + k8s.io/code-generator => k8s.io/code-generator v0.34.2 + k8s.io/component-base => k8s.io/component-base v0.34.2 + k8s.io/component-helpers => k8s.io/component-helpers v0.34.2 + // version of kube-openapi used by client-go v0.34.2 + k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b + k8s.io/kubectl => k8s.io/kubectl v0.34.2 + k8s.io/metrics => k8s.io/metrics v0.34.2 + k8s.io/utils => k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 ) exclude ( diff --git a/go.sum b/go.sum index bd015f4a370..112ecdf286b 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,12 @@ +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.31.0-20230721003620-2341cbb21958.1/go.mod h1:xafc+XIsTxTy76GJQ1TKgvJWsSugFBqMaN27WhUblew= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.31.0-20230802163732-1c33ebd9ecfa.1/go.mod h1:xafc+XIsTxTy76GJQ1TKgvJWsSugFBqMaN27WhUblew= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-20250130201111-63bb56e20495.1/go.mod h1:novQBstnxcGpfKf8qGRATqn1anQKwMJIbH5Q581jibU= cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= -cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= +cel.dev/expr v0.16.2/go.mod h1:gXngZQMkWJoSbE8mOzehJlXQyubn/Vg0vR9/F3W7iw8= +cel.dev/expr v0.19.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= @@ -359,6 +364,8 @@ cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxB cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY= +cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= +cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck= cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w= @@ -1145,6 +1152,7 @@ cloud.google.com/go/spanner v1.53.1/go.mod h1:liG4iCeLqm5L3fFLU5whFITqP0e0orsAW1 cloud.google.com/go/spanner v1.54.0/go.mod h1:wZvSQVBgngF0Gq86fKup6KIYmN2be7uOKjtK97X+bQU= cloud.google.com/go/spanner v1.55.0/go.mod h1:HXEznMUVhC+PC+HDyo9YFG2Ajj5BQDkcbqB9Z2Ffxi0= cloud.google.com/go/spanner v1.56.0/go.mod h1:DndqtUKQAt3VLuV2Le+9Y3WTnq5cNKrnLb/Piqcj+h0= +cloud.google.com/go/spanner v1.57.0/go.mod h1:aXQ5QDdhPRIqVhYmnkAdwPYvj/DRN0FguclhEWw+jOo= cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= @@ -1353,6 +1361,9 @@ github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7Oputl github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/DataDog/datadog-go v0.0.0-20180330214955-e67964b4021a/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.2/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= @@ -1370,8 +1381,8 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= -github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= -github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= github.com/Netflix/go-expect v0.0.0-20180928190340-9d1f4485533b h1:sSQK05nvxs4UkgCJaxihteu+r+6ela3dNMm7NVmsS3c= @@ -1419,6 +1430,8 @@ github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHG github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= @@ -1474,6 +1487,8 @@ github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuP github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bufbuild/protocompile v0.6.0 h1:Uu7WiSQ6Yj9DbkdnOe7U4mNKp58y9WDMKDn28/ZlunY= github.com/bufbuild/protocompile v0.6.0/go.mod h1:YNP35qEYoYGme7QMtz5SBCoN4kL4g12jTtjuzRNdjpE= +github.com/bufbuild/protovalidate-go v0.2.1/go.mod h1:e7XXDtlxj5vlEyAgsrxpzayp4cEMKCSSb8ZCkin+MVA= +github.com/bufbuild/protovalidate-go v0.9.1/go.mod h1:5jptBxfvlY51RhX32zR6875JfPBRXUsQjyZjm/NqkLQ= github.com/bugsnag/bugsnag-go v1.4.0/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/bugsnag-go v1.5.0 h1:tP8hiPv1pGGW3LA6LKy5lW6WG+y9J2xWUdPd3WC452k= github.com/bugsnag/bugsnag-go v1.5.0/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= @@ -1481,9 +1496,10 @@ github.com/bugsnag/panicwrap v1.2.0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywR github.com/c2h5oh/datasize v0.0.0-20171227191756-4eba002a5eae/go.mod h1:S/7n9copUssQ56c7aAgHqftWO4LTf4xY6CGWt8Bc+3M= github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= -github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20190105021004-abcd57078448/go.mod h1:GJKEexRPVJrBSOjoqN5VNOIKJ5Q3RViH6eu3puDRwx4= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -1531,8 +1547,10 @@ github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50/go.mod h1:5e1+Vvlzido6 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= -github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls= -github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e h1:gt7U1Igw0xbJdyaCM5H2CnlAlPSkzrhsebQB6WQWjLA= +github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/apd/v2 v2.0.1/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= @@ -1551,7 +1569,6 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -1565,7 +1582,6 @@ github.com/cratonica/2goarray v0.0.0-20190331194516-514510793eaa h1:Wg+722vs7a2z github.com/cratonica/2goarray v0.0.0-20190331194516-514510793eaa/go.mod h1:6Arca19mRx58CA7OWEd7Wu1NpC1rd3uDnNs6s1pj/DI= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/crewjam/httperr v0.0.0-20190612203328-a946449404da/go.mod h1:+rmNIXRvYMqLQeR4DHyTvs6y0MEMymTz4vyFpFkKTPs= @@ -1606,8 +1622,9 @@ github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5m github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= +github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.6.15/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/emicklei/proto v1.13.2 h1:z/etSFO3uyXeuEsVPzfl56WNgzcvIr42aQazXaQmFZY= github.com/emicklei/proto v1.13.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= @@ -1629,14 +1646,19 @@ github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCw github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q= github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= -github.com/envoyproxy/go-control-plane v0.13.5-0.20251015221300-4138018a492b h1:arMSHRQ9zPQNFZ1GTKexEdV4ziFgv1I4qhqXfWiSU9Y= -github.com/envoyproxy/go-control-plane v0.13.5-0.20251015221300-4138018a492b/go.mod h1:Alz8LEClvR7xKsrq3qzoc4N0guvVNSS8KmSChGYr9hs= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA= +github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= +github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20250627145903-197b96a9c7f8 h1:KXgXPtBofHkRHr+8dO058dGZnLHapW7m0yJEgSYdAFA= github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20250627145903-197b96a9c7f8/go.mod h1:Nx/YcyEeIcgjT13QwKHdcPmS060urxZ835MeO8cLOrg= -github.com/envoyproxy/go-control-plane/envoy v1.35.1-0.20251015221300-4138018a492b h1:rDyuvoLwwYo/TeYQF/6Ag7BG/LYbrnLp3qvXzzF5JRk= -github.com/envoyproxy/go-control-plane/envoy v1.35.1-0.20251015221300-4138018a492b/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98= +github.com/envoyproxy/go-control-plane/envoy v1.32.2/go.mod h1:eR2SOX2IedqlPvmiKjUH7Wu//S602JKI7HPC/L3SRq8= +github.com/envoyproxy/go-control-plane/envoy v1.32.3/go.mod h1:F6hWupPfh75TBXGKA++MCT/CZHFq5r9/uwt/kQYkZfE= +github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw= +github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20251120180717-7c66c7f1d0b2 h1:BprNEu/ZERE6ACMAisXf1H8/1HmDseGxpvD70ltXiqo= +github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20251120180717-7c66c7f1d0b2/go.mod h1:6DQL0WI2n/JV923ZcB8Pr3Xi28osKAWBPpo/jDIKL6U= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4= github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20250507123352-93990c5ec02f h1:VWpzyGd4X6+m72F5roMJy6n4eg3ExVIbiKEkHqWaNJU= github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20250507123352-93990c5ec02f/go.mod h1:XwRfO4L5F5f2M22/plL7eNluEEJe8MOqb9KvAy34fTA= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= @@ -1690,17 +1712,22 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= -github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= -github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= github.com/gertd/go-pluralize v0.1.1 h1:fQhql/WRRwr4TVp+TCw12s2esCacvEVBdkTUUwNqF/Q= github.com/gertd/go-pluralize v0.1.1/go.mod h1:t5DfHcumb6m0RqyVJDrDLEzL2AGeaiqUXIcDNwLaeAs= -github.com/getkin/kin-openapi v0.107.0 h1:bxhL6QArW7BXQj8NjXfIJQy680NsMKd25nwhvpCXchg= -github.com/getkin/kin-openapi v0.107.0/go.mod h1:9Dhr+FasATJZjS4iOLvB0hkaxgYdulrNYm2e9epLWOo= +github.com/getkin/kin-openapi v0.131.0 h1:NO2UeHnFKRYhZ8wg6Nyh5Cq7dHk4suQQr72a4pMrDxE= +github.com/getkin/kin-openapi v0.131.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew= github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I= +github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= +github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= +github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= +github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= +github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE= +github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= @@ -1728,6 +1755,7 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= +github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= @@ -1774,11 +1802,10 @@ github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwds github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= -github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= -github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= +github.com/go-openapi/jsonpointer v0.21.2 h1:AqQaNADVwq/VnkCmQg6ogE+M3FOsKTytwges0JdwVuA= +github.com/go-openapi/jsonpointer v0.21.2/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= @@ -1864,6 +1891,8 @@ github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4= github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/goccy/go-yaml v1.9.8/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE= github.com/goccy/go-yaml v1.11.0/go.mod h1:H+mJrWtjPTJAHvRbV09MCK9xYwODM+wRTVFFTWckfng= +github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= +github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= @@ -1877,6 +1906,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -1885,6 +1915,8 @@ github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/ github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/glog v1.2.3/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -1937,16 +1969,16 @@ github.com/gonum/matrix v0.0.0-20181209220409-c518dec07be9/go.mod h1:0EXg4mc1CNP github.com/gonum/stat v0.0.0-20181125101827-41a0da705a5b/go.mod h1:Z4GIJBJO3Wa4gD4vbwQxXXZ+WHmW6E9ixmNrwvs0iZs= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= +github.com/google/cel-go v0.17.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/cel-go v0.23.0/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v23.5.26+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -2007,15 +2039,13 @@ github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwg github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= -github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= -github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/pprof v0.0.0-20250923004556-9e5a51aed1e8 h1:ZI8gCoCjGzPsum4L21jHdQs8shFBIQih1TM9Rd/c+EQ= +github.com/google/pprof v0.0.0-20250923004556-9e5a51aed1e8/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM= github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= -github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= -github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -2072,14 +2102,17 @@ github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5T github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= -github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248= -github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk= +github.com/grafana/regexp v0.0.0-20250905093917-f7b3be9d1853 h1:cLN4IBkmkYZNnk7EAJ0BHIethd+J6LqxFNw5mSiI2bM= +github.com/grafana/regexp v0.0.0-20250905093917-f7b3be9d1853/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= +github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1/go.mod h1:lXGCsh6c22WGtjr+qGHj1otzZpV/1kwTMAqkwZsnWRU= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0/go.mod h1:XKMd7iuf/RGPSMJ/U4HP0zS2Z9Fh8Ps9a+6X26m/tmI= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0/go.mod h1:qOchhhIlmRcqk/O9uCo/puJlyo07YINaIqdZfZG3Jkc= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw= @@ -2087,9 +2120,10 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.28.2 h1:mXfkRHrpHN4YY3RqL09nXU1eHKLNiuAN4kHvDQ16k/8= github.com/hashicorp/consul/api v1.28.2/go.mod h1:KyzqzgMEya+IZPcD65YFoOVAgPpbfERu4I/tzG6/ueE= @@ -2204,9 +2238,6 @@ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANyt github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/influxdata/tdigest v0.0.0-20180711151920-a7d76c6f093a/go.mod h1:9GkyshztGufsdPQWjH+ifgnIr3xNUL5syI70g2dzU1o= -github.com/invopop/yaml v0.1.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdiBN3Q= -github.com/invopop/yaml v0.3.1 h1:f0+ZpmhfBSS4MhG+4HYseMdJhoeeopbSKbq5Rpeelso= -github.com/invopop/yaml v0.3.1/go.mod h1:PMOp3nn4/12yEZUFfmOuNHJsZToEEOwoWsT+D81KkeA= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= @@ -2225,11 +2256,12 @@ github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeY github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= -github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4= -github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= +github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I= +github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= +github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -2335,6 +2367,8 @@ github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= +github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -2373,14 +2407,16 @@ github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfr github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mccutchen/go-httpbin/v2 v2.15.0 h1:3b2s8LMRR2aFd+8U+1Bx2kdgHNQ5ZQkQOiW8e52Jj9A= github.com/mccutchen/go-httpbin/v2 v2.15.0/go.mod h1:GBy5I7XwZ4ZLhT3hcq39I4ikwN9x4QUt6EAxNiR8Jus= +github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE= +github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.17/go.mod h1:WgzbA6oji13JREwiNsRDNfl7jYdPnmz+VEuLrA+/48M= github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= -github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE= -github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE= +github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA= +github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps= github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY= github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= @@ -2419,8 +2455,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= @@ -2438,6 +2475,10 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY= github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc= +github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY= +github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw= +github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c= +github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o= github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= @@ -2470,8 +2511,8 @@ github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/ github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= -github.com/onsi/ginkgo/v2 v2.24.0 h1:obZz8LAnHicNdbBqvG3ytAFx8fgza+i1IDpBVcHT2YE= -github.com/onsi/ginkgo/v2 v2.24.0/go.mod h1:ppTWQ1dh9KM/F1XgpeRqelR+zHVwV81DGRSDnFxK7Sk= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= @@ -2498,8 +2539,8 @@ github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16A github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY= -github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -2521,6 +2562,8 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= +github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX50IvK2s= +github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= @@ -2556,8 +2599,6 @@ github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= -github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= -github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= @@ -2574,9 +2615,10 @@ github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+L github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= -github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc= -github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -2606,8 +2648,8 @@ github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGy github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= -github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE= -github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= +github.com/prometheus/common v0.67.2 h1:PcBAckGFTIHt2+L3I33uNRTlKTplNzFctXcWhPyAEN8= +github.com/prometheus/common v0.67.2/go.mod h1:63W3KZb1JOKgcjlIr64WW/LvFGAqKPj0atm+knVGEko= github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f h1:QQB6SuvGZjK8kdc2YaLJpYhV8fxauOsjE6jgcL6YJ8Q= github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= @@ -2724,20 +2766,20 @@ github.com/solo-io/cue v0.4.7/go.mod h1:P1tN9y6nBPAMoEK5aJxI8kn0VUcjVcRc+8esieRz github.com/solo-io/go-list-licenses v0.1.4 h1:u4xh1OUORT4iSWuAp3Q4NsfHcDaeUV8QRDH8ACQqbxw= github.com/solo-io/go-list-licenses v0.1.4/go.mod h1:x6LSp/NrYgVXwNum7ZOiaAYTpg6B3F6TrWYfcdHVroA= github.com/solo-io/go-utils v0.20.2/go.mod h1:6e8K1spnMWwlnJRSNp/J84GEyJbrcK4Gm7i+ehzCi8c= -github.com/solo-io/go-utils v0.28.6 h1:Ai/3Yo+Exa6w5N3CanQXHmxW7471Ne23vO1bpkQT/lg= -github.com/solo-io/go-utils v0.28.6/go.mod h1:xA4ARGfGXD2QRRGpFFX6AQVTn4mUklnzrS5FJ5Xcgbo= -github.com/solo-io/k8s-utils v0.11.1 h1:cyto2y4j8PbM42Pax4VLcPs3sKstsWs1VBUWDrnStB8= -github.com/solo-io/k8s-utils v0.11.1/go.mod h1:nOJpXsyLSKzwuJ0+3n7chyhioivRVChrqbOAtYwmGGI= +github.com/solo-io/go-utils v0.29.0 h1:sQ6kkSJtTRsU55qsGBvwDkpJXTOWsC7ZuKo3VEsYfjU= +github.com/solo-io/go-utils v0.29.0/go.mod h1:OLAhGzBc1NSSfwD6IiI/kcaRSlFnqAUWyxtC6ku3+90= +github.com/solo-io/k8s-utils v0.12.0 h1:Ovovz/i1v+UcZM22pNhh7tX9AO2ycwJcYErxPf8Hz+k= +github.com/solo-io/k8s-utils v0.12.0/go.mod h1:RKP+mxLkmVQMxaikZz5Nq37thYS25+KWfDqF5wURvZs= github.com/solo-io/protoc-gen-ext v0.1.0 h1:WvmXaontRCax9Wq5vAdewv+4tCwTrubC5rbk6coSajQ= github.com/solo-io/protoc-gen-ext v0.1.0/go.mod h1:pJ8/XXyHs6T3p7dpu9Hmv0B4uhn7HI+OR2YIjT1mKDc= -github.com/solo-io/protoc-gen-openapi v0.3.0 h1:9Cb45r7GtZcWTPQx+VJ6ba4DB6f47/ONsAxz/8tyuOE= -github.com/solo-io/protoc-gen-openapi v0.3.0/go.mod h1:3Zvq9oDldIwsP7UGfsIxeR9CxRovRhFPDvp4gns0C0w= -github.com/solo-io/skv2 v0.44.1 h1:YonWgPTC3Amkq6KwM3mXvZNy2O9jp0x+3ikynk1cMjA= -github.com/solo-io/skv2 v0.44.1/go.mod h1:qgctU1aqEdhmivmuKtOOOssWOHrNI/0XNSUrOUFP7BU= -github.com/solo-io/solo-apis v0.0.0-20250616141238-dd7b8dbf6a9b h1:q3QFvBxAfW3FLzZnHjPYLYn67LNmbzAxW7LPbjudlbI= -github.com/solo-io/solo-apis v0.0.0-20250616141238-dd7b8dbf6a9b/go.mod h1:FJT9O3ViImCX7rpznEwGmSLmmHSuZbrzbsDHvbXjhxo= -github.com/solo-io/solo-kit v0.39.2 h1:EjwFjTom1+Qt144/Vh4oBUIPrlRfs0T4ElNCX1pbBbI= -github.com/solo-io/solo-kit v0.39.2/go.mod h1:UKpFMRmjTNOAQb59LeriYg3HZwz7xW+lMVqePbeEEv4= +github.com/solo-io/protoc-gen-openapi v0.4.0 h1:/IMsKPRNwFSUm95V3buE+JGerZNaX1znzhJqMV+5+z0= +github.com/solo-io/protoc-gen-openapi v0.4.0/go.mod h1:YXSJRshFxkdkizOvkK4xcNigmlmDJTBcCkZDPsO9568= +github.com/solo-io/skv2 v0.45.0 h1:4Weshmrs0HknZ1WZPZC+bcjIpImoyDyKaLcWsQ2/Z8s= +github.com/solo-io/skv2 v0.45.0/go.mod h1:Y6Xah62KVpAHoD5iF7i3ls/Bbj3li/P8KCOVsA133/I= +github.com/solo-io/solo-apis v0.0.0-20251212201919-e8dd072aea09 h1:S+EYcJb/k2eYJ3vE6/9fIr/cPz0oTLwLpW15vbDrj58= +github.com/solo-io/solo-apis v0.0.0-20251212201919-e8dd072aea09/go.mod h1:VV3xgngbSkLtppOfQqs9OG9H7itMIGOVMi5qe/+nMzU= +github.com/solo-io/solo-kit v0.40.0 h1:ptQ+hwqbeEX74cSYR863R+2GA005wfG8Q0IuebQk4c8= +github.com/solo-io/solo-kit v0.40.0/go.mod h1:9q2n8+Nj2/w627TFOo/mLNiQeeCIkhsLcEYy5DeG/sQ= github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -2754,7 +2796,6 @@ github.com/spf13/cast v1.8.0 h1:gEN9K4b8Xws4EX0+a0reLmhq8moKn7ntRlQYgjPeCDk= github.com/spf13/cast v1.8.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= -github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= @@ -2769,6 +2810,7 @@ github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/y github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= +github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= @@ -2805,8 +2847,15 @@ github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/substrait-io/substrait-go v0.4.2/go.mod h1:qhpnLmrcvAnlZsUyPXZRqldiHapPTXC3t7xFgDi3aQg= -github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4= +github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= +github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= @@ -2815,6 +2864,9 @@ github.com/tsenart/go-tsz v0.0.0-20180814232043-cdeb9e1e981e/go.mod h1:SWZznP1z5 github.com/tsenart/vegeta/v12 v12.8.4/go.mod h1:ZiJtwLn/9M4fTPdMY7bdbIeyNeFVE8/AHbWFqCsUuho= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/ugorji/go v1.2.7/go.mod h1:nF9osbDWLy6bDVv/Rtoh6QgnvNDpmCalQV5urGCCS6M= +github.com/ugorji/go/codec v1.2.7 h1:YPXUKf7fYbp/y8xloBqZOw2qaVggbfwMlI8WM3wZUJ0= +github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY= github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= @@ -2842,20 +2894,20 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t github.com/yuin/goldmark v1.7.4 h1:BDXOHExt+A7gwPCJgPIIq7ENvceR7we7rOS9TNoLZeg= github.com/yuin/goldmark v1.7.4/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= +github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= go.einride.tech/aip v0.66.0/go.mod h1:qAhMsfT7plxBX+Oy7Huol6YUvZ0ZzdUz26yZsQwfl1M= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= -go.etcd.io/etcd/api/v3 v3.5.21/go.mod h1:c3aH5wcvXv/9dqIw2Y810LDXJfhSYdHQ0vxmP3CCHVY= -go.etcd.io/etcd/client/pkg/v3 v3.5.21/go.mod h1:BgqT/IXPjK9NkeSDjbzwsHySX3yIle2+ndz28nVsjUs= -go.etcd.io/etcd/client/v2 v2.305.21/go.mod h1:OKkn4hlYNf43hpjEM3Ke3aRdUkhSl8xjKjSf8eCq2J8= -go.etcd.io/etcd/client/v3 v3.5.21/go.mod h1:mFYy67IOqmbRf/kRUvsHixzo3iG+1OF2W2+jVIQRAnU= -go.etcd.io/etcd/pkg/v3 v3.5.21/go.mod h1:wpZx8Egv1g4y+N7JAsqi2zoUiBIUWznLjqJbylDjWgU= -go.etcd.io/etcd/raft/v3 v3.5.21/go.mod h1:fmcuY5R2SNkklU4+fKVBQi2biVp5vafMrWUEj4TJ4Cs= -go.etcd.io/etcd/server/v3 v3.5.21/go.mod h1:G1mOzdwuzKT1VRL7SqRchli/qcFrtLBTAQ4lV20sXXo= -go.etcd.io/gofail v0.1.0/go.mod h1:VZBCXYGZhHAinaBiiqYvuDynvahNsAyLFwB3kEHKz1M= +go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM= +go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk= +go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI= +go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo= +go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE= +go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg= +go.etcd.io/gofail v0.2.0/go.mod h1:nL3ILMGfkXTekKI3clMBNazKnjUZjYLKmBHzsVAnC1o= +go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2 h1:jxcFYjlkl8xaERsgLo+RNquI0epW6zuy/ZRQs6jnrFA= @@ -2873,31 +2925,36 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w= go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk= +go.opentelemetry.io/contrib/detectors/gcp v1.31.0/go.mod h1:tzQL6E1l+iV44YFTkcAeNQqzXUiekSYP9jjJjXwEd00= +go.opentelemetry.io/contrib/detectors/gcp v1.32.0/go.mod h1:TVqo0Sda4Cv8gCIixd7LuLwW4EylumVWfhjZJjDD4DU= +go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo= go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4= go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0/go.mod h1:Ct6zzQEuGK3WpJs2n4dn+wfJYzd/+hNnxMRTWjGn30M= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0/go.mod h1:tIKj3DbO8N9Y2xo52og3irLsPI4GW02DSMtrVgNMgxg= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0/go.mod h1:HDBUsEjOuRC0EzKZ1bSaRGZWUBAzo+MhAcUUORSr4D0= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0/go.mod h1:rdENBZMT2OE6Ne/KLwpiXudnAsbdrdBaqBvTN8M8BgA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= -go.opentelemetry.io/otel v1.20.0/go.mod h1:oUIGj3D77RwJdM6PPZImDpSZGDvkD9fhesHny69JFrs= go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= go.opentelemetry.io/otel v1.23.0/go.mod h1:YCycw9ZeKhcJFrb34iVSkyT0iczq/zYDtZYFufObyB0= go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= -go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= -go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= +go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= +go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= +go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= +go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8= @@ -2906,64 +2963,70 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7Z go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0/go.mod h1:GijYcYmNpX1KazD5JmWGsi4P7dDTTTnfv1UbGn84MnU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0/go.mod h1:vNUq47TGFioo+ffTSnKNdob241vePmtNZnAODKapKd0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA= go.opentelemetry.io/otel/exporters/prometheus v0.59.1 h1:HcpSkTkJbggT8bjYP+BjyqPWlD17BH9C5CYNKeDzmcA= go.opentelemetry.io/otel/exporters/prometheus v0.59.1/go.mod h1:0FJL+gjuUoM07xzik3KPBaN+nz/CoB15kV6WLMiXZag= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 h1:SZmDnHcgp3zwlPBS2JX2urGYe/jBKEIT6ZedHRUyCz8= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0/go.mod h1:fdWW0HtZJ7+jNpTKUR0GpMEDP69nR8YBJQxNiVCE3jk= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 h1:kJxSDN4SgWWTjG/hPp3O7LCGLcHXFlvS2/FFOrwL+SE= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0/go.mod h1:mgIOzS7iZeKJdeB8/NYHrJ48fdGc71Llo5bJ1J4DWUE= go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk= go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8= go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= -go.opentelemetry.io/otel/metric v1.20.0/go.mod h1:90DRw3nfK4D7Sm/75yQ00gTJxtkBxX+wu6YaNymbpVM= go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= go.opentelemetry.io/otel/metric v1.23.0/go.mod h1:MqUW2X2a6Q8RN96E2/nqNoT+z9BSms20Jb7Bbp+HiTo= go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= -go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE= -go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E= +go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= +go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= +go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= +go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= -go.opentelemetry.io/otel/sdk v1.20.0/go.mod h1:rmkSx1cZCm/tn16iWDn1GQbLtsW/LvsdEEFzCSRM6V0= go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E= go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= -go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= -go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI= -go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg= +go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= +go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= +go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= +go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs= go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo= -go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc= -go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= +go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= +go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= +go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= +go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= -go.opentelemetry.io/otel/trace v1.20.0/go.mod h1:HJSK7F/hA5RlzpZ0zKDCHCDHm556LCDtKaAo6JmBFUU= go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= go.opentelemetry.io/otel/trace v1.23.0/go.mod h1:GSGTbIClEsuZrGIzoEHqsVfxgn5UkggkflQwDScNUsk= go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= -go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= -go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= +go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= +go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= +go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= +go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= -go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= -go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= +go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= +go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= +go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= @@ -2971,13 +3034,13 @@ go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= +go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= @@ -2985,16 +3048,17 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI= go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= -go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= goji.io v2.0.0+incompatible/go.mod h1:sbqFwrtqZACxLBTQcdgVjFh54yGVCvwq8+w49MVMMIk= goji.io v2.0.2+incompatible/go.mod h1:sbqFwrtqZACxLBTQcdgVjFh54yGVCvwq8+w49MVMMIk= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -3043,14 +3107,14 @@ golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= -golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= +golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= -golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4= -golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc= +golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= +golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -3067,13 +3131,16 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20210126221216-84987778548c/go.mod h1:I6l2HNBLBZEcrOoCpyKLdY2lHoRZ8lI4x60KMCQDft4= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= golang.org/x/exp v0.0.0-20230206171751-46f607a40771/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= +golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= -golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI= -golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ= +golang.org/x/exp v0.0.0-20251017212417-90e834f514db h1:by6IehL4BH5k3e3SJmcoNbOobMey2SLpAF79iPOEBvw= +golang.org/x/exp v0.0.0-20251017212417-90e834f514db/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -3127,13 +3194,14 @@ golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= -golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= -golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= +golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= +golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -3234,14 +3302,14 @@ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= +golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= +golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= -golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= -golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= +golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= +golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -3287,9 +3355,11 @@ golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY= +golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -3313,11 +3383,11 @@ golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= -golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= -golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I= +golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180606202747-9527bec2660b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -3458,12 +3528,15 @@ golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= -golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= +golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 h1:LvzTn0GQhWuvKH/kVRS3R3bVAsdQWI7hvfLHGgh9+lU= +golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -3489,13 +3562,13 @@ golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= -golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= +golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= +golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= -golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= -golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= +golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= +golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -3520,26 +3593,24 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= -golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= -golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= +golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= +golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= -golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= -golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -3625,12 +3696,14 @@ golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= +golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8= golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= @@ -3638,10 +3711,10 @@ golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= -golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= -golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= -golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY= -golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= +golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= +golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= +golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= +golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -3918,6 +3991,7 @@ google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqt google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro= google.golang.org/genproto v0.0.0-20240205150955-31a09d347014/go.mod h1:xEgQu1e4stdSSsxPDK8Azkrk/ECl5HvdPf6nbZrTS5M= google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8= google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= @@ -3944,18 +4018,24 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457/go. google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA= google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA= google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014/go.mod h1:rbHMSEDyoYX62nRVLOCc4Qt1HbsdytAYoVwgjiOhF3I= +google.golang.org/genproto/googleapis/api v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:PVreiBMirk8ypES6aw9d4p6iiBNSIfZEBqr3UGoAi2E= google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= +google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y= google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237/go.mod h1:Z5Iiy3jtmioajWHDGFk7CeugTyHtPvMHA4UTmUkyalE= google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU= -google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117/go.mod h1:OimBR/bc1wPO9iV4NC2bpyjy3VnAwZh5EBPQdtaE5oo= google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo= google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:OCdP9MfskevB/rbYvHTsXTtKC+3bHWajPdoKgjcYkfo= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= -google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= -google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a h1:DMCgtIAIQGZqJXMVzJF4MV8BlWoJh2ZuFiRdAleyr58= -google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a/go.mod h1:y2yVLIE/CSMCPXaHnSKXxu1spLPnglFLegmgdY23uuE= +google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4= +google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a/go.mod h1:jehYqy3+AhJU9ve55aNOaSml7wUXjF9x6z2LcCfpAhY= +google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:E5//3O5ZIG2l71Xnt+P/CYUY8Bxs8E7WMoZ9tlcMbAY= +google.golang.org/genproto/googleapis/api v0.0.0-20250102185135-69823020774d/go.mod h1:2v7Z7gP2ZUOGsaFyxATQSRoBnKygqVq2Cwnvom7QiqY= +google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422/go.mod h1:b6h1vNKhxaSoEI+5jc3PJUCustfli/mRab7295pY7rw= +google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:Ic02D47M+zbarjYYUlK57y316f2MoN0gjAwI3f2S95o= +google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU= +google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg= +google.golang.org/genproto/googleapis/api v0.0.0-20251020155222-88f65dc88635 h1:1wvBeYv+A2zfEbxROscJl69OP0m74S8wGEO+Syat26o= +google.golang.org/genproto/googleapis/api v0.0.0-20251020155222-88f65dc88635/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo= google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA= google.golang.org/genproto/googleapis/bytestream v0.0.0-20230807174057-1744710a1577/go.mod h1:NjCQG/D8JandXxM57PZbAJL1DCNL6EypA0vPPwfsc7c= google.golang.org/genproto/googleapis/bytestream v0.0.0-20231030173426-d783a09b4405/go.mod h1:GRUCuLdzVqZte8+Dl/D4N25yLzcGqqWaYkeVOwulFqw= @@ -3993,26 +4073,35 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe/go. google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014/go.mod h1:SaPjaZGWb0lPqs6Ittu0spdfrOArqji4ZdeP5IC/9N4= google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:YUWgXUFRPfoYK1IHMuxH5K6nPEXSCzIMljnQ59lLRCk= google.golang.org/genproto/googleapis/rpc v0.0.0-20240221002015-b0ce06bbee7c/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY= google.golang.org/genproto/googleapis/rpc v0.0.0-20240228201840-1f18d85a4ec2/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= google.golang.org/genproto/googleapis/rpc v0.0.0-20240228224816-df926f6c8641/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= google.golang.org/genproto/googleapis/rpc v0.0.0-20240304161311-37d4d3c04a78/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240827150818-7e3bb234dfed/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241206012308-a4fef0638583/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a h1:tPE/Kp+x9dMSwUm/uM0JKK0IfdiJkwAbSMSeZBXXJXc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d/go.mod h1:3ENsm/5D1mzDyhpzeRi1NR784I0BcofWBoSc5QqqMK4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422/go.mod h1:3ENsm/5D1mzDyhpzeRi1NR784I0BcofWBoSc5QqqMK4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250212204824-5a70512c5d8b/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635 h1:3uycTxukehWrxH4HtPRtn1PDABTU331ViDjyqrUbaog= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= @@ -4072,17 +4161,22 @@ google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFL google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= -google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= -google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= -google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= -google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= +google.golang.org/grpc v1.69.4/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= +google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= +google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec= +google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec= +google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= +google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0/go.mod h1:Dk1tviKTvMCz5tvh7t+fh94dhmQVHuCt2OzJB3CTW9Y= +google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20/go.mod h1:Nr5H8+MlGWr5+xX/STzdoEqJrO+YteqFbMyCsrb6mH0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -4107,7 +4201,10 @@ google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= @@ -4122,14 +4219,14 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= @@ -4157,13 +4254,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.18.5 h1:Cc3Z5vd6kDrZq9wO9KxKLNEickiTho6/H/dBNRVSos4= -helm.sh/helm/v3 v3.18.5/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg= +helm.sh/helm/v3 v3.18.6 h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY= +helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -4172,37 +4268,37 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -istio.io/api v1.27.0-beta.0.0.20250731082105-36763529c462 h1:rmeRAAxlNrCj96Zlaf8r6YqU5kcU8Y7/96i29KPDHaY= -istio.io/api v1.27.0-beta.0.0.20250731082105-36763529c462/go.mod h1:DTVGH6CLXj5W8FF9JUD3Tis78iRgT1WeuAnxfTz21Wg= -istio.io/client-go v1.27.0-beta.0.0.20250731082605-b098a6e566f4 h1:mwO5Wx0H+xbEsyGHYRdWG8fjRw9Cr0EExleNW7SXQhM= -istio.io/client-go v1.27.0-beta.0.0.20250731082605-b098a6e566f4/go.mod h1:oUPY27HFv9fW32NtjxlgrRaa0dPIN6jYj/xGcjorLA0= -istio.io/istio v0.0.0-20250808040725-7359d8be2504 h1:tblfA2CTj3NWnw5XBlP3Lr0NxmXiCJ1TulQ8PZrKHcA= -istio.io/istio v0.0.0-20250808040725-7359d8be2504/go.mod h1:lCFDnjdmMaziwcb7xhi4cj5o3nWJF++tcYNCy2hOpFA= -k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw= -k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw= -k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI= -k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA= -k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4= -k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo= -k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs= -k8s.io/cli-runtime v0.33.1 h1:TvpjEtF71ViFmPeYMj1baZMJR4iWUEplklsUQ7D3quA= -k8s.io/cli-runtime v0.33.1/go.mod h1:9dz5Q4Uh8io4OWCLiEf/217DXwqNgiTS/IOuza99VZE= -k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4= -k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA= -k8s.io/code-generator v0.33.1 h1:ZLzIRdMsh3Myfnx9BaooX6iQry29UJjVfVG+BuS+UMw= -k8s.io/code-generator v0.33.1/go.mod h1:HUKT7Ubp6bOgIbbaPIs9lpd2Q02uqkMCMx9/GjDrWpY= -k8s.io/component-base v0.33.1 h1:EoJ0xA+wr77T+G8p6T3l4efT2oNwbqBVKR71E0tBIaI= -k8s.io/component-base v0.33.1/go.mod h1:guT/w/6piyPfTgq7gfvgetyXMIh10zuXA6cRRm3rDuY= -k8s.io/component-helpers v0.33.1 h1:DdQMww8jOr+sGhIrkz70Lp9Qerq/JzeZDBRd508DHDo= -k8s.io/component-helpers v0.33.1/go.mod h1:LQwxW5L3dH7341Unj+phndJu0Ic5UjxA//7FT8YVP5U= +istio.io/api v1.28.0-alpha.0.0.20251210001900-ce7b5802387c h1:/LeROWG1fnEYKmDgSSmphn3IkPEBKZa5+7XU1idNev8= +istio.io/api v1.28.0-alpha.0.0.20251210001900-ce7b5802387c/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg= +istio.io/client-go v1.28.0-alpha.0.0.20251210002059-b67694478a4b h1:DQI6BrG0f21heG6fzFgE5tziXnVEttTZlm4Nj5XH0QQ= +istio.io/client-go v1.28.0-alpha.0.0.20251210002059-b67694478a4b/go.mod h1:ttWw9sJTxuTthl9+A+ruUwJtnWWeTH30FtiXFPSpyXc= +istio.io/istio v0.0.0-20251215222123-9eb419397d40 h1:nXcsLA1mcSPbo+UFX9TNkSWqSyoRORAeE/4N9Cj8nLI= +istio.io/istio v0.0.0-20251215222123-9eb419397d40/go.mod h1:o6P1nwV1g+h/TIJ3TdFBzLMOIYjNK6uVm15ufCkrSno= +k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY= +k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw= +k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo= +k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE= +k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4= +k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.2 h1:2/yu8suwkmES7IzwlehAovo8dDE07cFRC7KMDb1+MAE= +k8s.io/apiserver v0.34.2/go.mod h1:gqJQy2yDOB50R3JUReHSFr+cwJnL8G1dzTA0YLEqAPI= +k8s.io/cli-runtime v0.34.2 h1:cct1GEuWc3IyVT8MSCoIWzRGw9HJ/C5rgP32H60H6aE= +k8s.io/cli-runtime v0.34.2/go.mod h1:X13tsrYexYUCIq8MarCBy8lrm0k0weFPTpcaNo7lms4= +k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M= +k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE= +k8s.io/code-generator v0.34.2 h1:9bG6jTxmsU3HXE5BNYJTC8AZ1D6hVVfkm8yYSkdkGY0= +k8s.io/code-generator v0.34.2/go.mod h1:dnDDEd6S/z4uZ+PG1aE58ySCi/lR4+qT3a4DddE4/2I= +k8s.io/component-base v0.34.2 h1:HQRqK9x2sSAsd8+R4xxRirlTjowsg6fWCPwWYeSvogQ= +k8s.io/component-base v0.34.2/go.mod h1:9xw2FHJavUHBFpiGkZoKuYZ5pdtLKe97DEByaA+hHbM= +k8s.io/component-helpers v0.34.2 h1:RIUGDdU+QFzeVKLZ9f05sXTNAtJrRJ3bnbMLrogCrvM= +k8s.io/component-helpers v0.34.2/go.mod h1:pLi+GByuRTeFjjcezln8gHL7LcT6HImkwVQ3A2SQaEE= k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 h1:pWEwq4Asjm4vjW7vcsmijwBhOr1/shsbSYiWXmNGlks= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/gengo/v2 v2.0.0-20240826214909-a7b603a56eb7/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= -k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 h1:2OX19X59HxDprNCVrWi6jb7LW1PoqTlYqEq5H2oetog= -k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= +k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= +k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d h1:qUrYOinhdAUL0xxhA4gPqogPBaS9nIq2l2kTb6pmeB0= +k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -4210,15 +4306,15 @@ k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.33.1/go.mod h1:C1I8mjFFBNzfUZXYt9FZVJ8MJl7ynFbGgZFbBzkBJ3E= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/kubectl v0.33.1 h1:OJUXa6FV5bap6iRy345ezEjU9dTLxqv1zFTVqmeHb6A= -k8s.io/kubectl v0.33.1/go.mod h1:Z07pGqXoP4NgITlPRrnmiM3qnoo1QrK1zjw85Aiz8J0= -k8s.io/metrics v0.33.1 h1:Ypd5ITCf+fM+LDNFk7hESXTc3vh02CQYGiwRoVRaGsM= -k8s.io/metrics v0.33.1/go.mod h1:wK8cFTK5ykBdhL0Wy4RZwLH28XM7j/Klc+NQrMRWVxg= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kms v0.34.2/go.mod h1:s1CFkLG7w9eaTYvctOxosx88fl4spqmixnNpys0JAtM= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kubectl v0.34.2 h1:+fWGrVlDONMUmmQLDaGkQ9i91oszjjRAa94cr37hzqA= +k8s.io/kubectl v0.34.2/go.mod h1:X2KTOdtZZNrTWmUD4oHApJ836pevSl+zvC5sI6oO2YQ= +k8s.io/metrics v0.34.2 h1:zao91FNDVPRGIiHLO2vqqe21zZVPien1goyzn0hsz90= +k8s.io/metrics v0.34.2/go.mod h1:Ydulln+8uZZctUM8yrUQX4rfq/Ay6UzsuXf24QJ37Vc= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= knative.dev/hack v0.0.0-20211122162614-813559cefdda/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= knative.dev/hack v0.0.0-20211203062838-e11ac125e707/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= knative.dev/networking v0.0.0-20211210083629-bace06e98aee h1:tMn0wtCgn2X+i+JiRk0mYHGrzI/7dZOkCPogz3u3qTU= @@ -4295,32 +4391,33 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.1 h1:Cf+ed5N8038zbsaXFO7mKQDi/+VcSRafb0jM84KX5so= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.1/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= -sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= -sigs.k8s.io/controller-tools v0.18.0 h1:rGxGZCZTV2wJreeRgqVoWab/mfcumTMmSwKzoM9xrsE= -sigs.k8s.io/controller-tools v0.18.0/go.mod h1:gLKoiGBriyNh+x1rWtUQnakUYEujErjXs9pf+x/8n1U= -sigs.k8s.io/gateway-api v1.3.0 h1:q6okN+/UKDATola4JY7zXzx40WO4VISk7i9DIfOvr9M= -sigs.k8s.io/gateway-api v1.3.0/go.mod h1:d8NV8nJbaRbEKem+5IuxkL8gJGOZ+FJ+NvOIltV8gDk= -sigs.k8s.io/gateway-api-inference-extension v0.5.0 h1:bYtXffUF1WUUFT2gYXaQBXIEXxXq/ZZLP9gqQweTrBI= -sigs.k8s.io/gateway-api-inference-extension v0.5.0/go.mod h1:lki0jx1qysZSZT4Ai2BxuAcpx6G8g5oBgOGuuJzjy/k= +sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= +sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= +sigs.k8s.io/controller-tools v0.19.0 h1:OU7jrPPiZusryu6YK0jYSjPqg8Vhf8cAzluP9XGI5uk= +sigs.k8s.io/controller-tools v0.19.0/go.mod h1:y5HY/iNDFkmFla2CfQoVb2AQXMsBk4ad84iR1PLANB0= +sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ= +sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/gateway-api-inference-extension v1.1.0 h1:MqRYk+3LNUWB0MbTgTZVhmJGNDTvm8l3ze4MOlzR7MU= +sigs.k8s.io/gateway-api-inference-extension v1.1.0/go.mod h1:BmJy8Hvc2EHl3Oa/Ka8/4RqwVHCCbX7BLndLdMNtugI= +sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= -sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= -sigs.k8s.io/kustomize/kustomize/v5 v5.6.0 h1:MWtRRDWCwQEeW2rnJTqJMuV6Agy56P53SkbVoJpN7wA= -sigs.k8s.io/kustomize/kustomize/v5 v5.6.0/go.mod h1:XuuZiQF7WdcvZzEYyNww9A0p3LazCKeJmCjeycN8e1I= -sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= -sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I= +sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM= +sigs.k8s.io/kustomize/kustomize/v5 v5.7.1 h1:sYJsarwy/SDJfjjLMUqwFDGPwzUtMOQ1i1Ed49+XSbw= +sigs.k8s.io/kustomize/kustomize/v5 v5.7.1/go.mod h1:+5/SrBcJ4agx1SJknGuR/c9thwRSKLxnKoI5BzXFaLU= +sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78= +sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po= sigs.k8s.io/mcs-api v0.2.0 h1:F8o/nIpQmog494Qwe94srDWjS3ltEu4y5IL9i3dB938= sigs.k8s.io/mcs-api v0.2.0/go.mod h1:zZ5CK8uS6HaLkxY4HqsmcBHfzHuNMrY2uJy8T7jffK4= sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= +sigs.k8s.io/structured-merge-diff/v6 v6.2.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml b/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml index 87d67224160..776e72d176e 100644 --- a/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml +++ b/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: authconfigs.enterprise.gloo.solo.io spec: group: enterprise.gloo.solo.io diff --git a/install/helm/gloo/crds/gateway.gloo.solo.io_directresponses.yaml b/install/helm/gloo/crds/gateway.gloo.solo.io_directresponses.yaml index df8cca56ecc..c11ce8530d1 100644 --- a/install/helm/gloo/crds/gateway.gloo.solo.io_directresponses.yaml +++ b/install/helm/gloo/crds/gateway.gloo.solo.io_directresponses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.19.0 labels: app: gloo-gateway app.kubernetes.io/name: gloo-gateway diff --git a/install/helm/gloo/crds/gateway.gloo.solo.io_gatewayparameters.yaml b/install/helm/gloo/crds/gateway.gloo.solo.io_gatewayparameters.yaml index a27718c87e0..6901bcb61d7 100644 --- a/install/helm/gloo/crds/gateway.gloo.solo.io_gatewayparameters.yaml +++ b/install/helm/gloo/crds/gateway.gloo.solo.io_gatewayparameters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.19.0 labels: app: gloo-gateway app.kubernetes.io/name: gloo-gateway @@ -71,6 +71,23 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: properties: containerName: @@ -471,6 +488,23 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: properties: containerName: @@ -899,6 +933,29 @@ spec: type: object restartPolicy: type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic securityContext: properties: allowPrivilegeEscalation: diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml index 07304b5f39a..3ce431a8711 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: gateways.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml index 318d38d5b34..e240d62a636 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: httplisteneroptions.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_ListenerOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_ListenerOption.yaml index 5cbae702e8e..75ce316a984 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_ListenerOption.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_ListenerOption.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: listeneroptions.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml index 37be857dcde..5965fd0b79c 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: httpgateways.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_MatchableTcpGateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_MatchableTcpGateway.yaml index 70abec4eb48..57aabbd8764 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_MatchableTcpGateway.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_MatchableTcpGateway.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: tcpgateways.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml index 2b783c624d4..45ecbbcb236 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: routeoptions.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml index 4ecf202e877..a3d51d80047 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: routetables.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml index fb1ec006efe..07c5ef6f86c 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: virtualhostoptions.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml index 85dc04d62bd..862498c9453 100644 --- a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml +++ b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: virtualservices.gateway.solo.io spec: group: gateway.solo.io diff --git a/install/helm/gloo/crds/gloo.solo.io_v1_Proxy.yaml b/install/helm/gloo/crds/gloo.solo.io_v1_Proxy.yaml index fe55950ea6f..2322c79907b 100644 --- a/install/helm/gloo/crds/gloo.solo.io_v1_Proxy.yaml +++ b/install/helm/gloo/crds/gloo.solo.io_v1_Proxy.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: proxies.gloo.solo.io spec: group: gloo.solo.io diff --git a/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml b/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml index 8e1d48c22b8..baabd5bc2f2 100644 --- a/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml +++ b/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null labels: gloo: settings name: settings.gloo.solo.io diff --git a/install/helm/gloo/crds/gloo.solo.io_v1_Upstream.yaml b/install/helm/gloo/crds/gloo.solo.io_v1_Upstream.yaml index b50e07a482c..4e37583432c 100644 --- a/install/helm/gloo/crds/gloo.solo.io_v1_Upstream.yaml +++ b/install/helm/gloo/crds/gloo.solo.io_v1_Upstream.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: upstreams.gloo.solo.io spec: group: gloo.solo.io diff --git a/install/helm/gloo/crds/gloo.solo.io_v1_UpstreamGroup.yaml b/install/helm/gloo/crds/gloo.solo.io_v1_UpstreamGroup.yaml index 82943d419aa..88046b1bfce 100644 --- a/install/helm/gloo/crds/gloo.solo.io_v1_UpstreamGroup.yaml +++ b/install/helm/gloo/crds/gloo.solo.io_v1_UpstreamGroup.yaml @@ -3,7 +3,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - creationTimestamp: null name: upstreamgroups.gloo.solo.io spec: group: gloo.solo.io diff --git a/pkg/listers/mocks/mock_listers.go b/pkg/listers/mocks/mock_listers.go index a6cdb355bd5..7bcc107a7f2 100644 --- a/pkg/listers/mocks/mock_listers.go +++ b/pkg/listers/mocks/mock_listers.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/pkg/listers (interfaces: NamespaceLister) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_listers.go -package mocks github.com/solo-io/gloo/pkg/listers NamespaceLister +// // Package mocks is a generated GoMock package. package mocks @@ -8,13 +13,14 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" ) // MockNamespaceLister is a mock of NamespaceLister interface. type MockNamespaceLister struct { ctrl *gomock.Controller recorder *MockNamespaceListerMockRecorder + isgomock struct{} } // MockNamespaceListerMockRecorder is the mock recorder for MockNamespaceLister. @@ -35,16 +41,16 @@ func (m *MockNamespaceLister) EXPECT() *MockNamespaceListerMockRecorder { } // List mocks base method. -func (m *MockNamespaceLister) List(arg0 context.Context) ([]string, error) { +func (m *MockNamespaceLister) List(ctx context.Context) ([]string, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "List", arg0) + ret := m.ctrl.Call(m, "List", ctx) ret0, _ := ret[0].([]string) ret1, _ := ret[1].(error) return ret0, ret1 } // List indicates an expected call of List. -func (mr *MockNamespaceListerMockRecorder) List(arg0 interface{}) *gomock.Call { +func (mr *MockNamespaceListerMockRecorder) List(ctx any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockNamespaceLister)(nil).List), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockNamespaceLister)(nil).List), ctx) } diff --git a/pkg/utils/selectionutils/mocks/mock_virtual_service.go b/pkg/utils/selectionutils/mocks/mock_virtual_service.go index 6950dca80bf..975419f2502 100644 --- a/pkg/utils/selectionutils/mocks/mock_virtual_service.go +++ b/pkg/utils/selectionutils/mocks/mock_virtual_service.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/pkg/utils/selectionutils (interfaces: VirtualServiceSelector) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_virtual_service.go -package mocks github.com/solo-io/gloo/pkg/utils/selectionutils VirtualServiceSelector +// // Package mocks is a generated GoMock package. package mocks @@ -8,15 +13,16 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" core "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" + gomock "go.uber.org/mock/gomock" ) // MockVirtualServiceSelector is a mock of VirtualServiceSelector interface. type MockVirtualServiceSelector struct { ctrl *gomock.Controller recorder *MockVirtualServiceSelectorMockRecorder + isgomock struct{} } // MockVirtualServiceSelectorMockRecorder is the mock recorder for MockVirtualServiceSelector. @@ -37,16 +43,16 @@ func (m *MockVirtualServiceSelector) EXPECT() *MockVirtualServiceSelectorMockRec } // SelectOrBuildVirtualService mocks base method. -func (m *MockVirtualServiceSelector) SelectOrBuildVirtualService(arg0 context.Context, arg1 *core.ResourceRef) (*v1.VirtualService, error) { +func (m *MockVirtualServiceSelector) SelectOrBuildVirtualService(ctx context.Context, ref *core.ResourceRef) (*v1.VirtualService, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "SelectOrBuildVirtualService", arg0, arg1) + ret := m.ctrl.Call(m, "SelectOrBuildVirtualService", ctx, ref) ret0, _ := ret[0].(*v1.VirtualService) ret1, _ := ret[1].(error) return ret0, ret1 } // SelectOrBuildVirtualService indicates an expected call of SelectOrBuildVirtualService. -func (mr *MockVirtualServiceSelectorMockRecorder) SelectOrBuildVirtualService(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockVirtualServiceSelectorMockRecorder) SelectOrBuildVirtualService(ctx, ref any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SelectOrBuildVirtualService", reflect.TypeOf((*MockVirtualServiceSelector)(nil).SelectOrBuildVirtualService), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SelectOrBuildVirtualService", reflect.TypeOf((*MockVirtualServiceSelector)(nil).SelectOrBuildVirtualService), ctx, ref) } diff --git a/pkg/utils/selectionutils/virtual_service_test.go b/pkg/utils/selectionutils/virtual_service_test.go index 7414e1693d9..f35850d86cc 100644 --- a/pkg/utils/selectionutils/virtual_service_test.go +++ b/pkg/utils/selectionutils/virtual_service_test.go @@ -3,7 +3,6 @@ package selectionutils_test import ( "context" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" errors "github.com/rotisserie/eris" @@ -15,6 +14,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" sk_errors "github.com/solo-io/solo-kit/pkg/errors" "github.com/solo-io/solo-kit/test/matchers" + "go.uber.org/mock/gomock" ) var ( diff --git a/projects/envoyinit/hack/filter_types/filter_types.gen.go b/projects/envoyinit/hack/filter_types/filter_types.gen.go index 96793228d5d..2c34936fd97 100644 --- a/projects/envoyinit/hack/filter_types/filter_types.gen.go +++ b/projects/envoyinit/hack/filter_types/filter_types.gen.go @@ -72,9 +72,11 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/data/tap/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/file/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/cel/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/process_ratelimit/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/fluentd/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/grpc/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/open_telemetry/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stats/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stream/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/wasm/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/internal_listener/v3" @@ -165,6 +167,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/stateful_session/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/tap/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/thrift_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/transform/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/upstream_codec/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3" @@ -266,6 +269,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/ssl/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/stats/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/transport_socket/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/consistent_hashing/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3" @@ -397,9 +401,11 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/data/tap/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/file/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/cel/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/process_ratelimit/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/fluentd/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/grpc/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/open_telemetry/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stats/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stream/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/wasm/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/internal_listener/v3" @@ -490,6 +496,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/stateful_session/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/tap/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/thrift_to_metadata/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/transform/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/upstream_codec/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3" @@ -591,6 +598,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/ssl/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/stats/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/transport_socket/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/consistent_hashing/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3" diff --git a/projects/gateway/pkg/api/v1/kube/client/applyconfiguration/internal/internal.go b/projects/gateway/pkg/api/v1/kube/client/applyconfiguration/internal/internal.go index 4d7ef1313fb..0c67a4209e9 100644 --- a/projects/gateway/pkg/api/v1/kube/client/applyconfiguration/internal/internal.go +++ b/projects/gateway/pkg/api/v1/kube/client/applyconfiguration/internal/internal.go @@ -22,7 +22,7 @@ import ( "fmt" "sync" - typed "sigs.k8s.io/structured-merge-diff/v4/typed" + typed "sigs.k8s.io/structured-merge-diff/v6/typed" ) func Parser() *typed.Parser { diff --git a/projects/gateway/pkg/mocks/mock_gateway_client.go b/projects/gateway/pkg/mocks/mock_gateway_client.go index c38aad1f6e1..f4b5658f707 100644 --- a/projects/gateway/pkg/mocks/mock_gateway_client.go +++ b/projects/gateway/pkg/mocks/mock_gateway_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockGatewayClient is a mock of GatewayClient interface diff --git a/projects/gateway/pkg/mocks/mock_route_table_client.go b/projects/gateway/pkg/mocks/mock_route_table_client.go index df5862c607b..d84b2c0e52c 100644 --- a/projects/gateway/pkg/mocks/mock_route_table_client.go +++ b/projects/gateway/pkg/mocks/mock_route_table_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockRouteTableClient is a mock of RouteTableClient interface diff --git a/projects/gateway/pkg/mocks/mock_v1/mock_gateway_client.go b/projects/gateway/pkg/mocks/mock_v1/mock_gateway_client.go index 72c87b46c9f..f3dda259039 100644 --- a/projects/gateway/pkg/mocks/mock_v1/mock_gateway_client.go +++ b/projects/gateway/pkg/mocks/mock_v1/mock_gateway_client.go @@ -7,9 +7,9 @@ package mock_v1 import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockGatewayClient is a mock of GatewayClient interface diff --git a/projects/gateway/pkg/mocks/mock_v1/mock_virtual_service_client.go b/projects/gateway/pkg/mocks/mock_v1/mock_virtual_service_client.go index ee71db3188e..43d015e56b4 100644 --- a/projects/gateway/pkg/mocks/mock_v1/mock_virtual_service_client.go +++ b/projects/gateway/pkg/mocks/mock_v1/mock_virtual_service_client.go @@ -7,9 +7,9 @@ package mock_v1 import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockVirtualServiceClient is a mock of VirtualServiceClient interface diff --git a/projects/gateway/pkg/mocks/mock_virtual_service_client.go b/projects/gateway/pkg/mocks/mock_virtual_service_client.go index 9992e902490..aa886caf535 100644 --- a/projects/gateway/pkg/mocks/mock_virtual_service_client.go +++ b/projects/gateway/pkg/mocks/mock_virtual_service_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockVirtualServiceClient is a mock of VirtualServiceClient interface diff --git a/projects/gateway/pkg/syncer/translator_syncer_test.go b/projects/gateway/pkg/syncer/translator_syncer_test.go index 8d4b84d2eae..450dbe044bd 100644 --- a/projects/gateway/pkg/syncer/translator_syncer_test.go +++ b/projects/gateway/pkg/syncer/translator_syncer_test.go @@ -10,7 +10,6 @@ import ( "github.com/solo-io/gloo/pkg/utils/statusutils" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/solo-io/gloo/pkg/utils/settingsutil" @@ -26,6 +25,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/resources" "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" "github.com/solo-io/solo-kit/pkg/api/v2/reporter" + "go.uber.org/mock/gomock" ) var _ = Describe("TranslatorSyncer", func() { diff --git a/projects/gateway/pkg/translator/mocks/mock_translator.go b/projects/gateway/pkg/translator/mocks/mock_translator.go index 3eb52f75b1b..f083e2e834c 100644 --- a/projects/gateway/pkg/translator/mocks/mock_translator.go +++ b/projects/gateway/pkg/translator/mocks/mock_translator.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gateway/pkg/translator (interfaces: Translator) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_translator.go -package mocks github.com/solo-io/gloo/projects/gateway/pkg/translator Translator +// // Package mocks is a generated GoMock package. package mocks @@ -8,17 +13,18 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" v10 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" gloosnapshot "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/gloosnapshot" reporter "github.com/solo-io/solo-kit/pkg/api/v2/reporter" + gomock "go.uber.org/mock/gomock" ) // MockTranslator is a mock of Translator interface. type MockTranslator struct { ctrl *gomock.Controller recorder *MockTranslatorMockRecorder + isgomock struct{} } // MockTranslatorMockRecorder is the mock recorder for MockTranslator. @@ -39,16 +45,16 @@ func (m *MockTranslator) EXPECT() *MockTranslatorMockRecorder { } // Translate mocks base method. -func (m *MockTranslator) Translate(arg0 context.Context, arg1 string, arg2 *gloosnapshot.ApiSnapshot, arg3 v1.GatewayList) (*v10.Proxy, reporter.ResourceReports) { +func (m *MockTranslator) Translate(ctx context.Context, proxyName string, snap *gloosnapshot.ApiSnapshot, filteredGateways v1.GatewayList) (*v10.Proxy, reporter.ResourceReports) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Translate", arg0, arg1, arg2, arg3) + ret := m.ctrl.Call(m, "Translate", ctx, proxyName, snap, filteredGateways) ret0, _ := ret[0].(*v10.Proxy) ret1, _ := ret[1].(reporter.ResourceReports) return ret0, ret1 } // Translate indicates an expected call of Translate. -func (mr *MockTranslatorMockRecorder) Translate(arg0, arg1, arg2, arg3 interface{}) *gomock.Call { +func (mr *MockTranslatorMockRecorder) Translate(ctx, proxyName, snap, filteredGateways any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Translate", reflect.TypeOf((*MockTranslator)(nil).Translate), arg0, arg1, arg2, arg3) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Translate", reflect.TypeOf((*MockTranslator)(nil).Translate), ctx, proxyName, snap, filteredGateways) } diff --git a/projects/gateway2/crds/gateway-crds.yaml b/projects/gateway2/crds/gateway-crds.yaml index 5b5a6d4f215..30154f05d73 100644 --- a/projects/gateway2/crds/gateway-crds.yaml +++ b/projects/gateway2/crds/gateway-crds.yaml @@ -24,9 +24,8 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null labels: gateway.networking.k8s.io/policy: Direct name: backendtlspolicies.gateway.networking.k8s.io @@ -47,7 +46,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: description: |- @@ -114,6 +113,22 @@ spec: be unique across all targetRef entries in the BackendTLSPolicy. * They select different sectionNames in the same target. + When more than one BackendTLSPolicy selects the same target and + sectionName, implementations MUST determine precedence using the + following criteria, continuing on ties: + + * The older policy by creation timestamp takes precedence. For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by {name}. + For example, a policy named `bar` is given precedence over a + policy named `baz`. + + For any BackendTLSPolicy that does not take precedence, the + implementation MUST ensure the `Accepted` Condition is set to + `status: False`, with Reason `Conflicted`. + Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource @@ -170,6 +185,7 @@ spec: maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: sectionName must be specified when targetRefs includes 2 or more references to the same target @@ -198,8 +214,31 @@ spec: not both. If CACertificateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation. - References to a resource in a different namespace are invalid for the - moment, although we will revisit this in the future. + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may change in future + spec updates. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message must be set for the invalid reference. + + In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on + the BackendTLSPolicy is set to `status: False`, with a Reason and Message + that indicate the cause of the error. Connections using an invalid + CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error + response. If ALL CACertificateRefs are invalid, the implementation MUST also + ensure the `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with a Reason `NoValidCACertificate`. A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. Implementations MAY choose to support attaching multiple certificates to @@ -208,8 +247,8 @@ spec: Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds - of resources). + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- LocalObjectReference identifies an API object within the namespace of the @@ -247,15 +286,18 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic hostname: description: |- Hostname is used for two purposes in the connection between Gateways and backends: 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - 2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified. - authentication and MUST match the certificate served by the matching - backend. + 2. Hostname MUST be used for authentication and MUST match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. Support: Core maxLength: 253 @@ -325,6 +367,7 @@ spec: "")' maxItems: 5 type: array + x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- WellKnownCACertificates specifies whether system CA certificates may be used in @@ -332,10 +375,11 @@ spec: If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of - CACertificateRefs or WellKnownCACertificates may be specified, not both. If an - implementation does not support the WellKnownCACertificates field or the value - supplied is not supported, the Status Conditions on the Policy MUST be - updated to include an Accepted: False Condition with Reason: Invalid. + CACertificateRefs or WellKnownCACertificates may be specified, not both. + If an implementation does not support the WellKnownCACertificates field, or + the supplied value is not recognized, the implementation MUST ensure the + `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with + a Reason `Invalid`. Support: Implementation-specific enum: @@ -646,10 +690,12 @@ spec: type: string required: - ancestorRef + - conditions - controllerName type: object maxItems: 16 type: array + x-kubernetes-list-type: atomic required: - ancestors type: object @@ -660,73 +706,15 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null - name: gatewayclasses.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: GatewayClass - listKind: GatewayClassList - plural: gatewayclasses - shortNames: - - gc - singular: gatewayclass - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.controllerName - name: Controller - type: string - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.description - name: Description - priority: 1 - type: string - name: v1 + - deprecated: true + deprecationWarning: The v1alpha3 version of BackendTLSPolicy has been deprecated + and will be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - GatewayClass describes a class of Gateways available to the user for creating - Gateway resources. - - It is recommended that this resource be used as a template for Gateways. This - means that a Gateway is based on the state of the GatewayClass at the time it - was created and changes to the GatewayClass or associated parameters are not - propagated down to existing Gateways. This recommendation is intended to - limit the blast radius of changes to GatewayClass or associated parameters. - If implementations choose to propagate GatewayClass changes to existing - Gateways, that MUST be clearly documented by the implementation. - - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD - add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the - associated GatewayClass. This ensures that a GatewayClass associated with a - Gateway is not deleted while in use. - - GatewayClass is a Cluster level resource. + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. properties: apiVersion: description: |- @@ -746,441 +734,640 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of GatewayClass. + description: Spec defines the desired state of BackendTLSPolicy. properties: - controllerName: + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string description: |- - ControllerName is the name of the controller that is managing Gateways of - this class. The value of this field MUST be a domain prefixed path. - - Example: "example.net/gateway-controller". + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - This field is not mutable and cannot be empty. + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - description: - description: Description helps describe a GatewayClass with more details. - maxLength: 64 - type: string - parametersRef: + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the GatewayClass. This is optional if the - controller does not require any additional configuration. + TargetRefs identifies an API object to apply the policy to. + Only Services have Extended support. Implementations MAY support + additional objects, with Implementation Specific support. + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, - or an implementation-specific custom resource. The resource can be - cluster-scoped or namespace-scoped. + TargetRefs must be _distinct_. This means either that: - If the referent cannot be found, refers to an unsupported kind, or when - the data within that resource is malformed, the GatewayClass SHOULD be - rejected with the "Accepted" status condition set to "False" and an - "InvalidParameters" reason. + * They select different targets. If this is the case, then targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. - A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + When more than one BackendTLSPolicy selects the same target and + sectionName, implementations MUST determine precedence using the + following criteria, continuing on ties: - Support: Implementation-specific - properties: - group: - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - This field is required when referring to a Namespace-scoped resource and - MUST be unset when referring to a Cluster-scoped resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - required: - - controllerName - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Status defines the current state of GatewayClass. + * The older policy by creation timestamp takes precedence. For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by {name}. + For example, a policy named `bar` is given precedence over a + policy named `baz`. - Implementations MUST populate status on all GatewayClass resources which - specify their controller name. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Conditions is the current status from the controller for - this GatewayClass. + For any BackendTLSPolicy that does not take precedence, the + implementation MUST ensure the `Accepted` Condition is set to + `status: False`, with Reason `Conflicted`. - Controllers should prefer to publish conditions using values - of GatewayClassConditionType for the type of each Condition. + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: |- + LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a + direct policy to. This should be used as part of Policy resources that can + target single resources. For more information on how this policy attachment + mode works, and a sample Policy resource, refer to the policy attachment + documentation for Gateway API. + + Note: This should only be used for direct policy attachment when references + to SectionName are actually needed. In all other cases, + LocalPolicyTargetReference should be used. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 + kind: + description: Kind is kind of the target resource. + maxLength: 63 minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - supportedFeatures: - description: |- - SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order by the Name key. - items: - properties: name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: description: |- - FeatureName is used to describe distinct features that are covered by - conformance tests. + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: + - group + - kind - name type: object - maxItems: 64 + maxItems: 16 + minItems: 1 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.controllerName - name: Controller - type: string - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.description - name: Description - priority: 1 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - GatewayClass describes a class of Gateways available to the user for creating - Gateway resources. + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when targetRefs includes + 2 or more references to the same target + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName + == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) + : true))' + - message: sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || + p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes objects that + contain a PEM-encoded TLS CA certificate bundle, which is used to + validate a TLS handshake between the Gateway and backend Pod. - It is recommended that this resource be used as a template for Gateways. This - means that a Gateway is based on the state of the GatewayClass at the time it - was created and changes to the GatewayClass or associated parameters are not - propagated down to existing Gateways. This recommendation is intended to - limit the blast radius of changes to GatewayClass or associated parameters. - If implementations choose to propagate GatewayClass changes to existing - Gateways, that MUST be clearly documented by the implementation. + If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be + specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, + not both. If CACertificateRefs is empty or unspecified, the configuration for + WellKnownCACertificates MUST be honored instead if supported by the implementation. - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD - add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the - associated GatewayClass. This ensures that a GatewayClass associated with a - Gateway is not deleted while in use. + A CACertificateRef is invalid if: - GatewayClass is a Cluster level resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of GatewayClass. - properties: - controllerName: - description: |- - ControllerName is the name of the controller that is managing Gateways of - this class. The value of this field MUST be a domain prefixed path. + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. - Example: "example.net/gateway-controller". + * It refers to an unknown or unsupported kind of resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. - This field is not mutable and cannot be empty. + * It refers to a resource in another namespace. This may change in future + spec updates. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - description: - description: Description helps describe a GatewayClass with more details. - maxLength: 64 - type: string - parametersRef: - description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the GatewayClass. This is optional if the - controller does not require any additional configuration. + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message must be set for the invalid reference. - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, - or an implementation-specific custom resource. The resource can be - cluster-scoped or namespace-scoped. + In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on + the BackendTLSPolicy is set to `status: False`, with a Reason and Message + that indicate the cause of the error. Connections using an invalid + CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error + response. If ALL CACertificateRefs are invalid, the implementation MUST also + ensure the `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with a Reason `NoValidCACertificate`. - If the referent cannot be found, refers to an unsupported kind, or when - the data within that resource is malformed, the GatewayClass SHOULD be - rejected with the "Accepted" status condition set to "False" and an - "InvalidParameters" reason. + A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a backend, but this behavior is implementation-specific. - A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + Support: Core - An optional single reference to a Kubernetes ConfigMap, + with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific - properties: - group: - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + LocalObjectReference identifies an API object within the namespace of the + referrer. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" + or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: |- + Hostname is used for two purposes in the connection between Gateways and + backends: + + 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). + 2. Hostname MUST be used for authentication and MUST match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - namespace: + subjectAltNames: description: |- - Namespace is the namespace of the referent. - This field is required when referring to a Namespace-scoped resource and - MUST be unset when referring to a Cluster-scoped resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name + SubjectAltNames contains one or more Subject Alternative Names. + When specified the certificate served from the backend MUST + have at least one Subject Alternate Name matching one of the specified SubjectAltNames. + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: |- + Hostname contains Subject Alternative Name specified in DNS name format. + Required when Type is set to Hostname, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: |- + Type determines the format of the Subject Alternative Name. Always required. + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: |- + URI contains Subject Alternative Name specified in a full URI format. + It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. + Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + Required when Type is set to URI, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: '!(self.type == "Hostname" && (!has(self.hostname) || + self.hostname == ""))' + - message: SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: '!(self.type != "Hostname" && has(self.hostname) && + self.hostname != "")' + - message: SubjectAltName element must contain URI, if Type + is set to URI + rule: '!(self.type == "URI" && (!has(self.uri) || self.uri + == ""))' + - message: SubjectAltName element must not contain URI, if Type + is not set to URI + rule: '!(self.type != "URI" && has(self.uri) && self.uri != + "")' + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: |- + WellKnownCACertificates specifies whether system CA certificates may be used in + the TLS handshake between the gateway and backend pod. + + If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs + must be specified with at least one entry for a valid configuration. Only one of + CACertificateRefs or WellKnownCACertificates may be specified, not both. + If an implementation does not support the WellKnownCACertificates field, or + the supplied value is not recognized, the implementation MUST ensure the + `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with + a Reason `Invalid`. + + Support: Implementation-specific + enum: + - System + type: string + required: + - hostname type: object + x-kubernetes-validations: + - message: must not contain both CACertificateRefs and WellKnownCACertificates + rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "")' + - message: must specify either CACertificateRefs or WellKnownCACertificates + rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "") required: - - controllerName + - targetRefs + - validation type: object status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Status defines the current state of GatewayClass. - - Implementations MUST populate status on all GatewayClass resources which - specify their controller name. + description: Status defines the current state of BackendTLSPolicy. properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted + ancestors: description: |- - Conditions is the current status from the controller for - this GatewayClass. + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. - Controllers should prefer to publish conditions using values - of GatewayClassConditionType for the type of each Condition. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - supportedFeatures: - description: |- - SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order by the Name key. + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. properties: - name: + ancestorRef: description: |- - FeatureName is used to describe distinct features that are covered by - conformance tests. - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -status: + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: false +status: acceptedNames: kind: "" plural: "" @@ -1188,49 +1375,64 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +# config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null - name: gateways.gateway.networking.k8s.io + name: gatewayclasses.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: Gateway - listKind: GatewayList - plural: gateways + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses shortNames: - - gtw - singular: gateway - scope: Namespaced + - gc + singular: gatewayclass + scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .spec.gatewayClassName - name: Class + - jsonPath: .spec.controllerName + name: Controller type: string - - jsonPath: .status.addresses[*].value - name: Address - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted type: string - jsonPath: .metadata.creationTimestamp name: Age type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string name: v1 schema: openAPIV3Schema: description: |- - Gateway represents an instance of a service-traffic handling infrastructure - by binding Listeners to a set of IP addresses. + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. properties: apiVersion: description: |- @@ -1250,319 +1452,784 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of Gateway. + description: Spec defines the desired state of GatewayClass. properties: - addresses: + controllerName: description: |- - Addresses requested for this Gateway. This is optional and behavior can - depend on the implementation. If a value is set in the spec and the - requested address is invalid or unavailable, the implementation MUST - indicate this in the associated entry in GatewayStatus.Addresses. + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. - The Addresses field represents a request for the address(es) on the - "outside of the Gateway", that traffic bound for this Gateway will use. - This could be the IP address or hostname of an external load balancer or - other networking infrastructure, or some other address that traffic will - be sent to. + Example: "example.net/gateway-controller". - If no Addresses are specified, the implementation MAY schedule the - Gateway in an implementation-specific manner, assigning an appropriate - set of Addresses. + This field is not mutable and cannot be empty. - The implementation MUST bind all Listeners to every GatewayAddress that - it assigns to the Gateway and add a corresponding entry in - GatewayStatus.Addresses. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. - Support: Extended + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. items: - description: GatewaySpecAddress describes an address that can be - bound to a Gateway. - oneOf: - - properties: - type: - enum: - - IPAddress - value: - anyOf: - - format: ipv4 - - format: ipv6 - - properties: - type: - not: - enum: - - IPAddress + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - type: - default: IPAddress - description: Type of the address. - maxLength: 253 - minLength: 1 - pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - value: + message: description: |- - When a value is unspecified, an implementation SHOULD automatically - assign an address matching the requested type if possible. - - If an implementation does not support an empty value, they MUST set the - "Programmed" condition in status to False with a reason of "AddressNotAssigned". - - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. - maxLength: 253 + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string + required: + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: Hostname value must only contain valid characters (matching - ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) - rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): - true' - maxItems: 16 + maxItems: 8 type: array - x-kubernetes-validations: - - message: IPAddress values must be unique - rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, - a2.type == a1.type && a2.value == a1.value) : true )' - - message: Hostname values must be unique - rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, - a2.type == a1.type && a2.value == a1.value) : true )' - allowedListeners: + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: description: |- - AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. - properties: - namespaces: - default: - from: None - description: |- - Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. - properties: - from: - default: None - description: |- - From indicates where ListenerSets can attach to this Gateway. Possible - values are: - - * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * All: ListenerSets in all namespaces may be attached to this Gateway. - * None: Only listeners defined in the Gateway's spec are allowed - - While this feature is experimental, the default value None - enum: - - All - - Selector - - Same - - None - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only ListenerSets in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - backendTLS: - description: |- - BackendTLS configures TLS settings for when this Gateway is connecting to - backends with TLS. - - Support: Core - properties: - clientCertificateRef: - description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. + SupportedFeatures is the set of features the GatewayClass support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. - This setting can be overridden on the service level by use of BackendTLSPolicy. + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. - Support: Core - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + Example: "example.net/gateway-controller". - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + This field is not mutable and cannot be empty. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - gatewayClassName: - description: |- - GatewayClassName used for this Gateway. This is the name of a - GatewayClass resource. + Support: Core maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - infrastructure: + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: description: |- - Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Extended - properties: - annotations: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Annotations that SHOULD be applied to any resources created in response to this Gateway. - - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. - For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - - An implementation may chose to add additional implementation-specific annotations as they see fit. + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. - Support: Extended - maxProperties: 8 - type: object - x-kubernetes-validations: - - message: Annotation keys must be in the form of an optional - DNS subdomain prefix followed by a required name segment of - up to 63 characters. - rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) - - message: If specified, the annotation key's prefix must be a - DNS subdomain not longer than 253 characters in total. - rule: self.all(key, key.split("/")[0].size() < 253) - labels: - additionalProperties: - description: |- - LabelValue is the value of a label in the Gateway API. This is used for validation - of maps such as Gateway infrastructure labels. This matches the Kubernetes - label validation rules: - * must be 63 characters or less (can be empty), - * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), - * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. - Valid values include: + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. - * MyValue - * my.name - * 123-my-value - maxLength: 63 - minLength: 0 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: |- - Labels that SHOULD be applied to any resources created in response to this Gateway. + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. - For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. - An implementation may chose to add additional implementation-specific labels as they see fit. + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. - If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - change, it SHOULD clearly warn about this behavior in documentation. + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: |- + SupportedFeatures is the set of features the GatewayClass support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |- + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in an associated entry in GatewayStatus.Conditions. - Support: Extended - maxProperties: 8 - type: object - x-kubernetes-validations: - - message: Label keys must be in the form of an optional DNS subdomain - prefix followed by a required name segment of up to 63 characters. - rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) - - message: If specified, the label key's prefix must be a DNS - subdomain not longer than 253 characters in total. - rule: self.all(key, key.split("/")[0].size() < 253) - parametersRef: - description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the Gateway. This is optional if the - controller does not require any additional configuration. + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + items: + description: GatewaySpecAddress describes an address that can be + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + When a value is unspecified, an implementation SHOULD automatically + assign an address matching the requested type if possible. + + If an implementation does not support an empty value, they MUST set the + "Programmed" condition in status to False with a reason of "AddressNotAssigned". + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: Hostname value must be empty or contain only valid characters + (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' + allowedListeners: + description: |- + AllowedListeners defines which ListenerSets can be attached to this Gateway. + While this feature is experimental, the default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: |- + Namespaces defines which namespaces ListenerSets can be attached to this Gateway. + While this feature is experimental, the default value is to allow no ListenerSets. + properties: + from: + default: None + description: |- + From indicates where ListenerSets can attach to this Gateway. Possible + values are: + + * Same: Only ListenerSets in the same namespace may be attached to this Gateway. + * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. + * All: ListenerSets in all namespaces may be attached to this Gateway. + * None: Only listeners defined in the Gateway's spec are allowed + + While this feature is experimental, the default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only ListenerSets in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + defaultScope: + description: |- + DefaultScope, when set, configures the Gateway as a default Gateway, + meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) + attached to it, according to the scope configured here. + + If unset (the default) or set to None, the Gateway will not act as a + default Gateway; if set, the Gateway will claim any Route with a + matching scope set in its UseDefaultGateway field, subject to the usual + rules about which routes the Gateway can attach to. + + Think carefully before using this functionality! While the normal rules + about which Route can apply are still enforced, it is simply easier for + the wrong Route to be accidentally attached to this Gateway in this + configuration. If the Gateway operator is not also the operator in + control of the scope (e.g. namespace) with tight controls and checks on + what kind of workloads and Routes get added in that scope, we strongly + recommend not using this just because it seems convenient, and instead + stick to direct Route attachment. + enum: + - All + - None + type: string + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. If the referent cannot be found, refers to an unsupported kind, or when the data within that resource is malformed, the Gateway SHOULD be @@ -1825,6 +2492,7 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic namespaces: default: from: Same @@ -1992,7 +2660,7 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is + The association of SNIs to Certificate defined in ListenerTLSConfig is defined based on the Hostname field for this listener. The GatewayClass MUST use the longest matching SNI out of all @@ -2079,107 +2747,21 @@ spec: type: object maxItems: 64 type: array - frontendValidation: + x-kubernetes-list-type: atomic + mode: + default: Terminate description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will require clients to send a client certificate - required for validation during the TLS handshake. In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. - - Support: Extended - properties: - caCertificateRefs: - description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one reference, or other kinds - of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - type: object - mode: - default: Terminate - description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: - - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. Support: Core enum: @@ -2244,6 +2826,366 @@ spec: rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + tls: + description: |- + TLS specifies frontend and backend tls configuration for entire gateway. + + Support: Extended + properties: + backend: + description: |- + Backend describes TLS configuration for gateway when connecting + to backends. + + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: |- + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. + + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: + description: |- + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. + + Support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object + type: object required: - gatewayClassName - listeners @@ -2318,6 +3260,7 @@ spec: true' maxItems: 16 type: array + x-kubernetes-list-type: atomic conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -2531,6 +3474,7 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic required: - attachedRoutes - conditions @@ -2595,7 +3539,7 @@ spec: Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST - indicate this in the associated entry in GatewayStatus.Addresses. + indicate this in an associated entry in GatewayStatus.Conditions. The Addresses field represents a request for the address(es) on the "outside of the Gateway", that traffic bound for this Gateway will use. @@ -2650,19 +3594,22 @@ spec: type: string type: object x-kubernetes-validations: - - message: Hostname value must only contain valid characters (matching - ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) - rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + - message: Hostname value must be empty or contain only valid characters + (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): true' maxItems: 16 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: IPAddress values must be unique - rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, - a2.type == a1.type && a2.value == a1.value) : true )' + rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' - message: Hostname values must be unique - rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, - a2.type == a1.type && a2.value == a1.value) : true )' + rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. @@ -2744,70 +3691,29 @@ spec: x-kubernetes-map-type: atomic type: object type: object - backendTLS: + defaultScope: description: |- - BackendTLS configures TLS settings for when this Gateway is connecting to - backends with TLS. - - Support: Core - properties: - clientCertificateRef: - description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - This setting can be overridden on the service level by use of BackendTLSPolicy. - - Support: Core - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object + DefaultScope, when set, configures the Gateway as a default Gateway, + meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) + attached to it, according to the scope configured here. + + If unset (the default) or set to None, the Gateway will not act as a + default Gateway; if set, the Gateway will claim any Route with a + matching scope set in its UseDefaultGateway field, subject to the usual + rules about which routes the Gateway can attach to. + + Think carefully before using this functionality! While the normal rules + about which Route can apply are still enforced, it is simply easier for + the wrong Route to be accidentally attached to this Gateway in this + configuration. If the Gateway operator is not also the operator in + control of the scope (e.g. namespace) with tight controls and checks on + what kind of workloads and Routes get added in that scope, we strongly + recommend not using this just because it seems convenient, and instead + stick to direct Route attachment. + enum: + - All + - None + type: string gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -3163,6 +4069,7 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic namespaces: default: from: Same @@ -3330,7 +4237,7 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is + The association of SNIs to Certificate defined in ListenerTLSConfig is defined based on the Hostname field for this listener. The GatewayClass MUST use the longest matching SNI out of all @@ -3417,107 +4324,21 @@ spec: type: object maxItems: 64 type: array - frontendValidation: + x-kubernetes-list-type: atomic + mode: + default: Terminate description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will require clients to send a client certificate - required for validation during the TLS handshake. In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. - - Support: Extended - properties: - caCertificateRefs: - description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one reference, or other kinds - of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - type: object - mode: - default: Terminate - description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: - - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. Support: Core enum: @@ -3582,6 +4403,366 @@ spec: rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + tls: + description: |- + TLS specifies frontend and backend tls configuration for entire gateway. + + Support: Extended + properties: + backend: + description: |- + Backend describes TLS configuration for gateway when connecting + to backends. + + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: |- + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. + + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: + description: |- + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. + + Support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one certificate in a ConfigMap + with different keys or more than one reference, or other kinds of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object + type: object required: - gatewayClassName - listeners @@ -3656,6 +4837,7 @@ spec: true' maxItems: 16 type: array + x-kubernetes-list-type: atomic conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3869,6 +5051,7 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic required: - attachedRoutes - conditions @@ -3903,9 +5086,8 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io @@ -3983,9138 +5165,11182 @@ spec: Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label MUST appear by itself as the first label. + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + Support: Core for Kubernetes Service + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + If an implementation cannot support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo - If a hostname is specified by both the Listener and GRPCRoute, there - MUST be at least one intersecting hostname for the GRPCRoute to be - attached to the Listener. For example: + Config: + add: + - name: "my-header" + value: "bar,baz" - * A Listener with `test.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - If both the Listener and GRPCRoute have specified hostnames, any - GRPCRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - GRPCRoute specified `test.example.com` and `test.example.net`, - `test.example.net` MUST NOT be considered for a match. + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - If both the Listener and GRPCRoute have specified hostnames, and none - match with the criteria above, then the GRPCRoute MUST NOT be accepted by - the implementation. The implementation MUST raise an 'Accepted' Condition - with a status of `False` in the corresponding RouteParentStatus. + Config: + remove: ["my-header1", "my-header3"] - If a Route (A) of type HTTPRoute or GRPCRoute is attached to a - Listener and that listener already has another Route (B) of the other - type attached and the intersection of the hostnames of A and B is - non-empty, then the implementation MUST accept exactly one of these two - routes, determined by the following criteria, in order: + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". + Input: + GET /foo HTTP/1.1 + my-header: foo - The rejected Route MUST raise an 'Accepted' condition with a status of - 'False' in the corresponding RouteParentStatus. + Config: + set: + - name: "my-header" + value: "bar" - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. - There are two kinds of parent resources with "Core" support: + For example, take the following matches configuration: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` - This API may be extended in the future to support additional kinds of parent - resources. + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: - ParentRefs must be _distinct_. This means either that: + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. - Some examples: + If no matches are specified, the implementation MUST match every gRPC request. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" - This API may be extended in the future to support additional kinds of parent - resources. + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. - There are two kinds of parent resources with "Core" support: + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Support: Implementation-specific (Exact with method specified but no service specified) - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic name: description: |- - Name is the name of the referent. + Name is the name of the route rule. This name MUST be unique within a Route if it is set. - Support: Core + Support: Extended maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: + sessionPersistence: description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. + SessionPersistence defines and configures session persistence + for the route rule. - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Defaults to "Session". - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: + Support: Core for "Session" type - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' type: object - maxItems: 32 + maxItems: 16 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of GRPC matchers, filters and actions. + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() + : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() + : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() + : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() + : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() + : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() + : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() + : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() + : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() + : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() + : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() + : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() + : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() + : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() + : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() + : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() + : 0) : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. items: description: |- - GRPCRouteRule defines the semantics for matching a gRPC request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). + RouteParentStatus describes the status of a route with respect to an + associated Parent. properties: - backendRefs: + conditions: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. - - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. - - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive an `UNAVAILABLE` status. - - See the GRPCBackendRef definition for the rules about what makes a single - GRPCBackendRef invalid. - - When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive an `UNAVAILABLE` status. - - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. - Implementations may choose how that 50 percent is determined. - - Support: Core for Kubernetes Service - - Support: Implementation-specific for any other resource - - Support for weight: Core - items: - description: |- - GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. properties: - filters: + lastTransitionTime: description: |- - Filters defined at this level MUST be executed if and only if the - request is being forwarded to the backend defined here. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Support: Implementation-specific (For broader support of filters, use the - Filters field in GRPCRouteRule.) - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + Example: "example.net/gateway-controller". - Support: Implementation-specific + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Input: - GET /foo HTTP/1.1 - my-header: foo + There are two kinds of parent resources with "Core" support: - Config: - add: - - name: "my-header" - value: "bar,baz" + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Config: - remove: ["my-header1", "my-header3"] - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - Input: - GET /foo HTTP/1.1 - my-header: foo + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Config: - set: - - name: "my-header" - value: "bar" - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. - Support: Extended for Kubernetes Service + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: - Defaults to "Service" when not specified. + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: - Support: Core (Services with a type other than ExternalName) + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. - Input: - GET /foo HTTP/1.1 - my-header: foo + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Config: - add: - - name: "my-header" - value: "bar,baz" + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + There are two kinds of parent resources with "Core" support: - Config: - remove: ["my-header1", "my-header3"] + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + This API may be extended in the future to support additional kinds of parent + resources. - Input: - GET /foo HTTP/1.1 - my-header: foo + ParentRefs must be _distinct_. This means either that: - Config: - set: - - name: "my-header" - value: "bar" + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Some examples: - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - Defaults to "Service" when not specified. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + This API may be extended in the future to support additional kinds of parent + resources. - Support: Core (Services with a type other than ExternalName) + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + There are two kinds of parent resources with "Core" support: - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - filters: + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: description: |- - Filters define the filters that are applied to requests that match - this rule. + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - The effects of ordering of multiple behaviors are currently unspecified. - This can change in the future based on feedback during the alpha stage. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations that support - GRPCRoute. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - If an implementation cannot support a combination of filters, it must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. Support: Core - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - Support: Implementation-specific - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - Config: - add: - - name: "my-header" - value: "bar,baz" + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - Config: - remove: ["my-header1", "my-header3"] + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - Input: - GET /foo HTTP/1.1 - my-header: foo + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - Config: - set: - - name: "my-header" - value: "bar" + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. - Support: Extended for Kubernetes Service + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + Support: Core for Kubernetes Service - Defaults to "Service" when not specified. + Support: Extended for Kubernetes ServiceImport - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + Support: Implementation-specific for any other resource - Support: Core (Services with a type other than ExternalName) + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal to - denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be specified - in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - responseHeaderModifier: + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + properties: + filters: description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. - Input: - GET /foo HTTP/1.1 - my-header: foo + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - Config: - add: - - name: "my-header" - value: "bar,baz" + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: + Support: Extended + type: boolean + allowHeaders: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Header names are not case sensitive. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). - Config: - remove: ["my-header1", "my-header3"] + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. - Input: - GET /foo HTTP/1.1 - my-header: foo + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. - Config: - set: - - name: "my-header" - value: "bar" + A wildcard indicates that the requests with all HTTP headers are allowed. + The `Access-Control-Allow-Headers` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: + When the `AllowCredentials` field is true and `AllowHeaders` field + specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. A Gateway + implementation may choose to add implementation-specific default headers. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowMethods: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. + Method names are case sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - matches: - description: |- - Matches define conditions used for matching the rule against incoming - gRPC requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + The `Access-Control-Allow-Methods` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. + + When the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. A Gateway implementation may + choose to add implementation-specific default methods. - For example, take the following matches configuration: + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. - ``` - matches: - - method: - service: foo.bar - headers: - values: - version: 2 - - method: - service: foo.bar.v2 - ``` + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. - For a request to match against this rule, it MUST satisfy - EITHER of the two conditions: + Valid values for scheme are: `http` and `https`. - - service of foo.bar AND contains the header `version: 2` - - service of foo.bar.v2 + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. - See the documentation for GRPCRouteMatch on how to specify multiple - match conditions to be ANDed together. + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: - If no matches are specified, the implementation MUST match every gRPC request. + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. - Proxy or Load Balancer routing configuration generated from GRPCRoutes - MUST prioritize rules based on the following criteria, continuing on - ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. - Precedence MUST be given to the rule with the largest number of: + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. - * Characters in a matching service. - * Characters in a matching method. - * Header matches. + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. - If ties still exist within the Route that has been given precedence, - matching precedence MUST be granted to the first matching rule meeting - the above criteria. - items: - description: |- - GRPCRouteMatch defines the predicate used to match requests to a given - action. Multiple match types are ANDed together, i.e. the match will - evaluate to true only if all conditions are satisfied. + The `Access-Control-Allow-Origin` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - For example, the match below will match a gRPC request only if its service - is `foo` AND it contains the `version: v1` header: + When the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. - ``` - matches: - - method: - type: Exact - service: "foo" - headers: - - name: "version" - value "v1" + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. - ``` - properties: - headers: - description: |- - Headers specifies gRPC request header matchers. Multiple match values are - ANDed together, meaning, a request MUST match all the specified headers - to select the route. - items: - description: |- - GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request - headers. - properties: - name: - description: |- - Name is the name of the gRPC Header to be matched. + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: Type specifies how to match against - the value of the header. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of the gRPC Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies a gRPC request service/method matcher. If this field is - not specified, all services and methods will match. - properties: - method: - description: |- - Value of the method to match against. If left empty or omitted, will - match all services. + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - service: - description: |- - Value of the service to match against. If left empty or omitted, will - match any service. + Header names are not case sensitive. - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - type: - default: Exact - description: |- - Type specifies how to match against the service and/or method. - Support: Core (Exact with service and method specified) + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). - Support: Implementation-specific (Exact with method specified but no service specified) + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - RegularExpression - type: string - type: object - x-kubernetes-validations: - - message: One or both of 'service' or 'method' must be - specified - rule: 'has(self.type) ? has(self.service) || has(self.method) - : true' - - message: service must only contain valid characters - (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): - true' - - message: method must only contain valid characters (matching - ^[A-Za-z_][A-Za-z_0-9]*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): - true' - type: object - maxItems: 64 - type: array - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the route rule. + Valid values include: - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + * "Authorization" + * "Set-Cookie" - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + Invalid values include: - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. - Defaults to "Session". + This filter can be used multiple times within the same rule. - Support: Core for "Session" type + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + If there is any problem communicating with the external service, + this filter MUST fail closed. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + Support: Extended + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. - Support: Core for "Cookie" type + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - type: object - maxItems: 16 - type: array - x-kubernetes-validations: - - message: While 16 rules and 64 matches per rule are allowed, the - total number of matches across all rules in a route must be less - than 128 - rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() - : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() - : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() - : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() - : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() - : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() - : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() - : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() - : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() - : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() - : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() - : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() - : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() - : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() - : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() - : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() - : 0) : 0) <= 128' - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - type: object - status: - description: Status defines the current state of GRPCRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. - Example: "example.net/gateway-controller". + If this list is empty, then all headers must be sent. - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + If the list has entries, only those entries must be sent. + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. - There are two kinds of parent resources with "Core" support: + When empty or unspecified, no prefix is added. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol + is set to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) + : true' + - message: protocol must be 'GRPC' when grpc is + set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' + : true' + - message: http must be specified when protocol + is set to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) + : true' + - message: protocol must be 'HTTP' when http is + set + rule: 'has(self.http) ? self.protocol == ''HTTP'' + : true' + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Input: + GET /foo HTTP/1.1 + my-header: foo - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. + Config: + set: + - name: "my-header" + value: "bar" + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: + Support: Extended for Kubernetes Service - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. + Defaults to "Service" when not specified. - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - required: - - parents - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null - name: httproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: HTTPRoute - listKind: HTTPRouteList - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.hostnames - name: Hostnames - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - HTTPRoute provides a way to route HTTP requests. This includes the capability - to match requests by hostname, path, header, or query param. Filters can be - used to specify additional processing steps. Backends specify where matching - requests should be routed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of HTTPRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames that should match against the HTTP Host - header to select a HTTPRoute used to process the request. Implementations - MUST ignore any port value specified in the HTTP Host header while - performing a match and (absent of any applicable header modification - configuration) MUST forward this header unmodified to the backend. + Support: Core (Services with a type other than ExternalName) - Valid values for Hostnames are determined by RFC 1123 definition of a - hostname with 2 notable exceptions: + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - If a hostname is specified by both the Listener and HTTPRoute, there - must be at least one intersecting hostname for the HTTPRoute to be - attached to the Listener. For example: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. - * A Listener with `test.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `*.example.com`, `test.example.com`, and `foo.test.example.com` would - all match. On the other hand, `example.com` and `test.example.net` would - not match. + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. - If both the Listener and HTTPRoute have specified hostnames, any - HTTPRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - HTTPRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. - If both the Listener and HTTPRoute have specified hostnames, and none - match with the criteria above, then the HTTPRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. - overlapping wildcard matching and exact matching hostnames), precedence must - be given to rules from the HTTPRoute with the largest number of: + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - If ties exist across multiple Routes, the matching precedence rules for - HTTPRouteMatches takes over. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. - There are two kinds of parent resources with "Core" support: + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - This API may be extended in the future to support additional kinds of parent - resources. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - ParentRefs must be _distinct_. This means either that: + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Some examples: + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + Input: + GET /foo HTTP/1.1 + my-header: foo + Config: + add: + - name: "my-header" + value: "bar,baz" - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - This API may be extended in the future to support additional kinds of parent - resources. + Config: + remove: ["my-header1", "my-header3"] - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Input: + GET /foo HTTP/1.1 + my-header: foo - There are two kinds of parent resources with "Core" support: + Config: + set: + - name: "my-header" + value: "bar" - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + - ExternalAuth + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: filter.externalAuth must be nil if the filter.type + is not ExternalAuth + rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' + - message: filter.externalAuth must be specified for + ExternalAuth filter.type + rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: + Defaults to "Service" when not specified. - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - default: - - matches: - - path: - type: PathPrefix - value: / - description: Rules are a list of HTTP matchers, filters and actions. - items: - description: |- - HTTPRouteRule defines semantics for matching an HTTP request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive a 500 status code. + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. - See the HTTPBackendRef definition for the rules about what makes a single - HTTPBackendRef invalid. + Wherever possible, implementations SHOULD implement filters in the order + they are specified. - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive a 500 status code. + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that cannot be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic must receive a 500. Implementations may - choose how that 50 percent is determined. + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. - When a HTTPBackendRef refers to a Service that has no ready endpoints, - implementations SHOULD return a 503 for requests to that backend instead. - If an implementation chooses to do this, all of the above rules for 500 responses - MUST also apply for responses that return a 503. + Conformance-levels at this level are defined based on the type of filter: - Support: Core for Kubernetes Service + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. - Support: Extended for Kubernetes ServiceImport + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. - Support: Implementation-specific for any other resource + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation cannot support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. - Support for weight: Core + Support: Core items: description: |- - HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. + Header names are not case sensitive. - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: - filters: - description: |- - Filters defined at this level should be executed if and only if the - request is being forwarded to the backend defined here. + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). - Support: Implementation-specific (For broader support of filters, use the - Filters field in HTTPRouteRule.) - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - cors: - description: |- - CORS defines a schema for a filter that responds to the - cross-origin request based on HTTP response header. + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. - Support: Extended - properties: - allowCredentials: - description: |- - AllowCredentials indicates whether the actual cross-origin request allows - to include credentials. + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + The `Access-Control-Allow-Headers` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. + + When the `AllowCredentials` field is true and `AllowHeaders` field + specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. A Gateway + implementation may choose to add implementation-specific default headers. - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - Support: Extended - enum: - - true - type: boolean - allowHeaders: - description: |- - AllowHeaders indicates which HTTP request headers are supported for - accessing the requested resource. + Valid values include: - Header names are not case sensitive. + * "Authorization" + * "Set-Cookie" - Multiple header names in the value of the `Access-Control-Allow-Headers` - response header are separated by a comma (","). + Invalid values include: - When the `AllowHeaders` field is configured with one or more headers, the - gateway must return the `Access-Control-Allow-Headers` response header - which value is present in the `AllowHeaders` field. + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. - If any header name in the `Access-Control-Request-Headers` request header - is not included in the list of header names specified by the response - header `Access-Control-Allow-Headers`, it will present an error on the - client side. + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. - If any header name in the `Access-Control-Allow-Headers` response header - does not recognize by the client, it will also occur an error on the - client side. + Method names are case sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more - HTTP headers in the value of the `Access-Control-Allow-Headers` response - header. The value of the header `Access-Control-Allow-Headers` is same as - the `Access-Control-Request-Headers` header provided by the client. If - the header `Access-Control-Request-Headers` is not included in the - request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. - Support: Extended - items: - description: |- - HTTPHeaderName is the name of an HTTP header. + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. - Valid values include: + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. - * "Authorization" - * "Set-Cookie" + The `Access-Control-Allow-Methods` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Invalid values include: + When the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. A Gateway implementation may + choose to add implementation-specific default methods. - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - allowMethods: - description: |- - AllowMethods indicates which HTTP methods are supported for accessing the - requested resource. + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. - Valid values are any method defined by RFC9110, along with the special - value `*`, which represents all HTTP methods are allowed. + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. - Method names are case sensitive, so these values are also case-sensitive. - (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + Valid values for scheme are: `http` and `https`. - Multiple method names in the value of the `Access-Control-Allow-Methods` - response header are separated by a comma (","). + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. - A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - CORS-safelisted methods are always allowed, regardless of whether they - are specified in the `AllowMethods` field. + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: - When the `AllowMethods` field is configured with one or more methods, the - gateway must return the `Access-Control-Allow-Methods` response header - which value is present in the `AllowMethods` field. + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. - If the HTTP method of the `Access-Control-Request-Method` request header - is not included in the list of methods specified by the response header - `Access-Control-Allow-Methods`, it will present an error on the client - side. + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. - When the `AllowCredentials` field is specified and `AllowMethods` field - specified with the `*` wildcard, the gateway must specify one HTTP method - in the value of the Access-Control-Allow-Methods response header. The - value of the header `Access-Control-Allow-Methods` is same as the - `Access-Control-Request-Method` header provided by the client. If the - header `Access-Control-Request-Method` is not included in the request, - the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). - Support: Extended - items: - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - - '*' - type: string - maxItems: 9 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: AllowMethods cannot contain '*' alongside - other methods - rule: '!(''*'' in self && self.size() > 1)' - allowOrigins: - description: |- - AllowOrigins indicates whether the response can be shared with requested - resource from the given `Origin`. + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. - The `Origin` consists of a scheme and a host, with an optional port, and - takes the form `://(:)`. + The `Access-Control-Allow-Origin` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Valid values for scheme are: `http` and `https`. + When the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. - Valid values for port are any integer between 1 and 65535 (the list of - available TCP/UDP ports). Note that, if not included, port `80` is - assumed for `http` scheme origins, and port `443` is assumed for `https` - origins. This may affect origin matching. + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. - The host part of the origin may contain the wildcard character `*`. These - wildcard characters behave as follows: + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. - * `*` is a greedy match to the _left_, including any number of - DNS labels to the left of its position. This also means that - `*` will include any number of period `.` characters to the - left of its position. - * A wildcard by itself matches all hosts. + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. - An origin value that includes _only_ the `*` character indicates requests - from all `Origin`s are allowed. + Header names are not case sensitive. - When the `AllowOrigins` field is configured with multiple origins, it - means the server supports clients from multiple origins. If the request - `Origin` matches the configured allowed origins, the gateway must return - the given `Origin` and sets value of the header - `Access-Control-Allow-Origin` same as the `Origin` header provided by the - client. + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). - The status code of a successful response to a "preflight" request is - always an OK status (i.e., 204 or 200). + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - If the request `Origin` does not match the configured allowed origins, - the gateway returns 204/200 response but doesn't set the relevant - cross-origin response headers. Alternatively, the gateway responds with - 403 status to the "preflight" request is denied, coupled with omitting - the CORS headers. The cross-origin request fails on the client side. - Therefore, the client doesn't attempt the actual cross-origin request. + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Valid values include: - When the `AllowCredentials` field is specified and `AllowOrigins` field - specified with the `*` wildcard, the gateway must return a single origin - in the value of the `Access-Control-Allow-Origin` response header, - instead of specifying the `*` wildcard. The value of the header - `Access-Control-Allow-Origin` is same as the `Origin` header provided by - the client. + * "Authorization" + * "Set-Cookie" - Support: Extended - items: - description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or - IP address as the host. - maxLength: 253 - minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - exposeHeaders: - description: |- - ExposeHeaders indicates which HTTP response headers can be exposed - to client-side scripts in response to a cross-origin request. + Invalid values include: - A CORS-safelisted response header is an HTTP header in a CORS response - that it is considered safe to expose to the client scripts. - The CORS-safelisted response headers include the following headers: - `Cache-Control` - `Content-Language` - `Content-Length` - `Content-Type` - `Expires` - `Last-Modified` - `Pragma` - (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - The CORS-safelisted response headers are exposed to client by default. + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. - When an HTTP header name is specified using the `ExposeHeaders` field, - this additional header will be exposed as part of the response to the - client. + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. - Header names are not case sensitive. + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. - Multiple header names in the value of the `Access-Control-Expose-Headers` - response header are separated by a comma (","). + This filter can be used multiple times within the same rule. - A wildcard indicates that the responses with all HTTP headers are exposed - to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. - Support: Extended - items: - description: |- - HTTPHeaderName is the name of an HTTP header. + If there is any problem communicating with the external service, + this filter MUST fail closed. - Valid values include: + Support: Extended + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. - * "Authorization" - * "Set-Cookie" + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. - Invalid values include: + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - maxAge: - default: 5 - description: |- - MaxAge indicates the duration (in seconds) for the client to cache the - results of a "preflight" request. + Defaults to "Service" when not specified. - The information provided by the `Access-Control-Allow-Methods` and - `Access-Control-Allow-Headers` response headers can be cached by the - client until the time specified by `Access-Control-Max-Age` elapses. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - The default value of `Access-Control-Max-Age` response header is 5 - (seconds). - format: int32 - minimum: 1 - type: integer - type: object - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + Support: Core (Services with a type other than ExternalName) - This filter can be used multiple times within the same rule. + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. - Input: - GET /foo HTTP/1.1 - my-header: foo + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. - Config: - add: - - name: "my-header" - value: "bar,baz" + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. - Config: - remove: ["my-header1", "my-header3"] + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + If this list is empty, then all headers must be sent. - Input: - GET /foo HTTP/1.1 - my-header: foo + If the list has entries, only those entries must be sent. + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. - Config: - set: - - name: "my-header" - value: "bar" + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. + When empty or unspecified, no prefix is added. - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol is set + to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) : + true' + - message: protocol must be 'GRPC' when grpc is set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' : + true' + - message: http must be specified when protocol is set + to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) : + true' + - message: protocol must be 'HTTP' when http is set + rule: 'has(self.http) ? self.protocol == ''HTTP'' : + true' + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. + Input: + GET /foo HTTP/1.1 + my-header: foo - Support: Extended for Kubernetes Service + Config: + add: + - name: "my-header" + value: "bar,baz" - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Defaults to "Service" when not specified. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - Support: Core (Services with a type other than ExternalName) + Config: + remove: ["my-header1", "my-header3"] - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + Input: + GET /foo HTTP/1.1 + my-header: foo - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. + Config: + set: + - name: "my-header" + value: "bar" - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string required: - - backendRef + - name + - value type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. - If no port is specified, the redirect port MUST be derived using the - following rules: + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + If no port is specified, the redirect port MUST be derived using the + following rules: - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: - Input: - GET /foo HTTP/1.1 - my-header: foo + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. - Config: - add: - - name: "my-header" - value: "bar,baz" + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - Config: - remove: ["my-header1", "my-header3"] + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Input: - GET /foo HTTP/1.1 - my-header: foo + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - Config: - set: - - name: "my-header" - value: "bar" + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: + Input: + GET /foo HTTP/1.1 + my-header: foo - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. + Config: + add: + - name: "my-header" + value: "bar,baz" - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Input: + GET /foo HTTP/1.1 + my-header: foo - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - - CORS - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. + Config: + set: + - name: "my-header" + value: "bar" - Support: Extended + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. properties: - hostname: + name: description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Support: Extended - maxLength: 253 + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string - path: - description: |- - Path defines a path rewrite. + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the - filter.type is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != - ''RequestRedirect'')' - - message: filter.requestRedirect must be specified - for RequestRedirect filter.type - rule: '!(!has(self.requestRedirect) && self.type == - ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') - && self.exists(f, f.type == ''URLRewrite''))' - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') - && self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() - <= 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + - ExternalAuth type: string - kind: - default: Service + urlRewrite: description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + URLRewrite defines a schema for a filter that modifies a request during forwarding. - Defaults to "Service" when not specified. + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. - Support: Core (Services with a type other than ExternalName) + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object required: - - name + - type type: object x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: filter.externalAuth must be nil if the filter.type + is not ExternalAuth + rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' + - message: filter.externalAuth must be specified for ExternalAuth + filter.type + rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')' maxItems: 16 type: array - filters: + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / description: |- - Filters define the filters that are applied to requests that match - this rule. + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. - Wherever possible, implementations SHOULD implement filters in the order - they are specified. + For example, take the following matches configuration: - Implementations MAY choose to implement this ordering strictly, rejecting - any combination or order of filters that cannot be supported. If implementations - choose a strict interpretation of filter ordering, they MUST clearly document - that behavior. + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` - To reject an invalid combination or order of filters, implementations SHOULD - consider the Route Rules with this configuration invalid. If all Route Rules - in a Route are invalid, the entire Route would be considered invalid. If only - a portion of Route Rules are invalid, implementations MUST set the - "PartiallyInvalid" condition for the Route. + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: - Conformance-levels at this level are defined based on the type of filter: + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. - - ALL core filters MUST be supported by all implementations. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". - All filters are expected to be compatible with each other except for the - URLRewrite and RequestRedirect filters, which may not be combined. If an - implementation cannot support other combinations of filters, they must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. - Support: Core + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" properties: - cors: + headers: description: |- - CORS defines a schema for a filter that responds to the - cross-origin request based on HTTP response header. - - Support: Extended - properties: - allowCredentials: - description: |- - AllowCredentials indicates whether the actual cross-origin request allows - to include credentials. - - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). - - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Support: Extended - enum: - - true - type: boolean - allowHeaders: - description: |- - AllowHeaders indicates which HTTP request headers are supported for - accessing the requested resource. + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. - Header names are not case sensitive. + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. - Multiple header names in the value of the `Access-Control-Allow-Headers` - response header are separated by a comma (","). + Support: Core (Exact) - When the `AllowHeaders` field is configured with one or more headers, the - gateway must return the `Access-Control-Allow-Headers` response header - which value is present in the `AllowHeaders` field. + Support: Implementation-specific (RegularExpression) - If any header name in the `Access-Control-Request-Headers` request header - is not included in the list of header names specified by the response - header `Access-Control-Allow-Headers`, it will present an error on the - client side. + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. - If any header name in the `Access-Control-Allow-Headers` response header - does not recognize by the client, it will also occur an error on the - client side. + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. - A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Support: Core (Exact, PathPrefix) - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more - HTTP headers in the value of the `Access-Control-Allow-Headers` response - header. The value of the header `Access-Control-Allow-Headers` is same as - the `Access-Control-Request-Headers` header provided by the client. If - the header `Access-Control-Request-Headers` is not included in the - request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. - Support: Extended - items: + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: description: |- - HTTPHeaderName is the name of an HTTP header. - - Valid values include: + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). - * "Authorization" - * "Set-Cookie" + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. - Invalid values include: + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - allowMethods: - description: |- - AllowMethods indicates which HTTP methods are supported for accessing the - requested resource. + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. - Valid values are any method defined by RFC9110, along with the special - value `*`, which represents all HTTP methods are allowed. + Support: Extended (Exact) - Method names are case sensitive, so these values are also case-sensitive. - (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + Support: Implementation-specific (RegularExpression) - Multiple method names in the value of the `Access-Control-Allow-Methods` - response header are separated by a comma (","). + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. - A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - CORS-safelisted methods are always allowed, regardless of whether they - are specified in the `AllowMethods` field. + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |- + Retry defines the configuration for when to retry an HTTP request. - When the `AllowMethods` field is configured with one or more methods, the - gateway must return the `Access-Control-Allow-Methods` response header - which value is present in the `AllowMethods` field. + Support: Extended + properties: + attempts: + description: |- + Attempts specifies the maximum number of times an individual request + from the gateway to a backend should be retried. - If the HTTP method of the `Access-Control-Request-Method` request header - is not included in the list of methods specified by the response header - `Access-Control-Allow-Methods`, it will present an error on the client - side. + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. - When the `AllowCredentials` field is specified and `AllowMethods` field - specified with the `*` wildcard, the gateway must specify one HTTP method - in the value of the Access-Control-Allow-Methods response header. The - value of the header `Access-Control-Allow-Methods` is same as the - `Access-Control-Request-Method` header provided by the client. If the - header `Access-Control-Request-Method` is not included in the request, - the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. - Support: Extended - items: - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - - '*' - type: string - maxItems: 9 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: AllowMethods cannot contain '*' alongside - other methods - rule: '!(''*'' in self && self.size() > 1)' - allowOrigins: - description: |- - AllowOrigins indicates whether the response can be shared with requested - resource from the given `Origin`. + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. - The `Origin` consists of a scheme and a host, with an optional port, and - takes the form `://(:)`. + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. - Valid values for scheme are: `http` and `https`. + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. - Valid values for port are any integer between 1 and 65535 (the list of - available TCP/UDP ports). Note that, if not included, port `80` is - assumed for `http` scheme origins, and port `443` is assumed for `https` - origins. This may affect origin matching. + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. - The host part of the origin may contain the wildcard character `*`. These - wildcard characters behave as follows: + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. - * `*` is a greedy match to the _left_, including any number of - DNS labels to the left of its position. This also means that - `*` will include any number of period `.` characters to the - left of its position. - * A wildcard by itself matches all hosts. + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. - An origin value that includes _only_ the `*` character indicates requests - from all `Origin`s are allowed. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. - When the `AllowOrigins` field is configured with multiple origins, it - means the server supports clients from multiple origins. If the request - `Origin` matches the configured allowed origins, the gateway must return - the given `Origin` and sets value of the header - `Access-Control-Allow-Origin` same as the `Origin` header provided by the - client. + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. - The status code of a successful response to a "preflight" request is - always an OK status (i.e., 204 or 200). + Implementations MUST support the following status codes as retryable: - If the request `Origin` does not match the configured allowed origins, - the gateway returns 204/200 response but doesn't set the relevant - cross-origin response headers. Alternatively, the gateway responds with - 403 status to the "preflight" request is denied, coupled with omitting - the CORS headers. The cross-origin request fails on the client side. - Therefore, the client doesn't attempt the actual cross-origin request. + * 500 + * 502 + * 503 + * 504 - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Implementations MAY support specifying additional discrete values in the + 500-599 range. - When the `AllowCredentials` field is specified and `AllowOrigins` field - specified with the `*` wildcard, the gateway must return a single origin - in the value of the `Access-Control-Allow-Origin` response header, - instead of specifying the `*` wildcard. The value of the header - `Access-Control-Allow-Origin` is same as the `Origin` header provided by - the client. + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + maximum: 599 + minimum: 400 + type: integer + type: array + x-kubernetes-list-type: atomic + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the route rule. - Support: Extended - items: - description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or - IP address as the host. - maxLength: 253 - minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - exposeHeaders: - description: |- - ExposeHeaders indicates which HTTP response headers can be exposed - to client-side scripts in response to a cross-origin request. + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. - A CORS-safelisted response header is an HTTP header in a CORS response - that it is considered safe to expose to the client scripts. - The CORS-safelisted response headers include the following headers: - `Cache-Control` - `Content-Language` - `Content-Length` - `Content-Type` - `Expires` - `Last-Modified` - `Pragma` - (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - The CORS-safelisted response headers are exposed to client by default. + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - When an HTTP header name is specified using the `ExposeHeaders` field, - this additional header will be exposed as part of the response to the - client. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - Header names are not case sensitive. + Defaults to "Session". - Multiple header names in the value of the `Access-Control-Expose-Headers` - response header are separated by a comma (","). + Support: Core for "Session" type - A wildcard indicates that the responses with all HTTP headers are exposed - to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - Support: Extended - items: - description: |- - HTTPHeaderName is the name of an HTTP header. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - Valid values include: + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. - * "Authorization" - * "Set-Cookie" + Support: Core for "Cookie" type - Invalid values include: + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - maxAge: - default: 5 - description: |- - MaxAge indicates the duration (in seconds) for the client to cache the - results of a "preflight" request. + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. - The information provided by the `Access-Control-Allow-Methods` and - `Access-Control-Allow-Headers` response headers can be cached by the - client until the time specified by `Access-Control-Max-Age` elapses. + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. - The default value of `Access-Control-Max-Age` response header is 5 - (seconds). - format: int32 - minimum: 1 - type: integer - type: object - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. - This filter can be used multiple times within the same rule. + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. - Input: - GET /foo HTTP/1.1 - my-header: foo + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - Config: - add: - - name: "my-header" - value: "bar,baz" + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Config: - remove: ["my-header1", "my-header3"] + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Input: - GET /foo HTTP/1.1 - my-header: foo + Example: "example.net/gateway-controller". - Config: - set: - - name: "my-header" - value: "bar" + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. + There are two kinds of parent resources with "Core" support: - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - Support: Core (Services with a type other than ExternalName) + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal to - denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be specified - in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. - If no port is specified, the redirect port MUST be derived using the - following rules: + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. + There are two kinds of parent resources with "Core" support: - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + This API may be extended in the future to support additional kinds of parent + resources. - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. + ParentRefs must be _distinct_. This means either that: - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Input: - GET /foo HTTP/1.1 - my-header: foo + Some examples: - Config: - add: - - name: "my-header" - value: "bar,baz" + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - Config: - remove: ["my-header1", "my-header3"] + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - Input: - GET /foo HTTP/1.1 - my-header: foo + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Config: - set: - - name: "my-header" - value: "bar" + This API may be extended in the future to support additional kinds of parent + resources. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. + There are two kinds of parent resources with "Core" support: - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - - CORS - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the filter.type - is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' - - message: filter.requestRedirect must be specified for RequestRedirect - filter.type - rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') && - self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() <= - 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 - matches: - default: - - path: - type: PathPrefix - value: / - description: |- - Matches define conditions used for matching the rule against incoming - HTTP requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - For example, take the following matches configuration: + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - ``` - matches: - - path: - value: "/foo" - headers: - - name: "version" - value: "v2" - - path: - value: "/v2/foo" - ``` + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. - For a request to match against this rule, a request must satisfy - EITHER of the two conditions: + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. - - path prefixed with `/foo` AND contains the header `version: v2` - - path prefix of `/v2/foo` + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. - See the documentation for HTTPRouteMatch on how to specify multiple - match conditions that should be ANDed together. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. - If no matches are specified, the default is a prefix - path match on "/", which has the effect of matching every - HTTP request. + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. - Proxy or Load Balancer routing configuration generated from HTTPRoutes - MUST prioritize matches based on the following criteria, continuing on - ties. Across all rules specified on applicable Routes, precedence must be - given to the match having: + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. - * "Exact" path match. - * "Prefix" path match with largest number of characters. - * Method match. - * Largest number of header matches. - * Largest number of query param matches. + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. - Note: The precedence of RegularExpression path matches are implementation-specific. + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. - If ties still exist within an HTTPRoute, matching precedence MUST be granted - to the FIRST matching rule (in list order) with a match meeting the above - criteria. + Support: Core for Kubernetes Service - When no rules matching a request have been successfully attached to the - parent a request is coming from, a HTTP 404 status code MUST be returned. - items: - description: "HTTPRouteMatch defines the predicate used to - match requests to a given\naction. Multiple match types - are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\nFor example, the - match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n```" - properties: - headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. - items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Support: Extended for Kubernetes ServiceImport - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. + Support: Implementation-specific for any other resource - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the header. + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - Support: Core (Exact) + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Implementation-specific (RegularExpression) - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP Header to - be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - Support: Extended - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - type: string - path: - default: - type: PathPrefix - value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. - properties: - type: - default: PathPrefix - description: |- - Type specifies how to match against the path Value. + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - Support: Core (Exact, PathPrefix) + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - PathPrefix - - RegularExpression - type: string - value: - default: / - description: Value of the HTTP path to match against. - maxLength: 1024 - type: string - type: object - x-kubernetes-validations: - - message: value must be an absolute path and start with - '/' when type one of ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') - : true' - - message: must not contain '//' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') - : true' - - message: must not contain '/./' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') - : true' - - message: must not contain '/../' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') - : true' - - message: must not contain '%2f' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') - : true' - - message: must not contain '%2F' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') - : true' - - message: must not contain '#' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') - : true' - - message: must not end with '/..' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') - : true' - - message: must not end with '/.' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') - : true' - - message: type must be one of ['Exact', 'PathPrefix', - 'RegularExpression'] - rule: self.type in ['Exact','PathPrefix'] || self.type - == 'RegularExpression' - - message: must only contain valid characters (matching - ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) - for types ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") - : true' - queryParams: + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + properties: + filters: description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. - Support: Extended + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) items: description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. - properties: - name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + cors: description: |- - Type specifies how to match against the value of the query parameter. - - Support: Extended (Exact) - - Support: Implementation-specific (RegularExpression) - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP query param - to be matched. - maxLength: 1024 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - maxItems: 64 - type: array - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - retry: - description: |- - Retry defines the configuration for when to retry an HTTP request. + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. - Support: Extended - properties: - attempts: - description: |- - Attempts specifies the maximum number of times an individual request - from the gateway to a backend should be retried. + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - If the maximum number of retries has been attempted without a successful - response from the backend, the Gateway MUST return an error. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). - When this field is unspecified, the number of times to attempt to retry - a backend request is implementation-specific. + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. - Support: Extended - type: integer - backoff: - description: |- - Backoff specifies the minimum duration a Gateway should wait between - retry attempts and is represented in Gateway API Duration formatting. + Header names are not case sensitive. - For example, setting the `rules[].retry.backoff` field to the value - `100ms` will cause a backend request to first be retried approximately - 100 milliseconds after timing out or receiving a response code configured - to be retryable. + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). - An implementation MAY use an exponential or alternative backoff strategy - for subsequent retry attempts, MAY cap the maximum backoff duration to - some amount greater than the specified minimum, and MAY add arbitrary - jitter to stagger requests, as long as unsuccessful backend requests are - not retried before the configured minimum duration. + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. - If a Request timeout (`rules[].timeouts.request`) is configured on the - route, the entire duration of the initial request and any retry attempts - MUST not exceed the Request timeout duration. If any retry attempts are - still in progress when the Request timeout duration has been reached, - these SHOULD be canceled if possible and the Gateway MUST immediately - return a timeout error. + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. - If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - configured on the route, any retry attempts which reach the configured - BackendRequest timeout duration without a response SHOULD be canceled if - possible and the Gateway should wait for at least the specified backoff - duration before attempting to retry the backend request again. + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. - If a BackendRequest timeout is _not_ configured on the route, retry - attempts MAY time out after an implementation default duration, or MAY - remain pending until a configured Request timeout or implementation - default duration for total request time is reached. + A wildcard indicates that the requests with all HTTP headers are allowed. + The `Access-Control-Allow-Headers` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - When this field is unspecified, the time to wait between retry attempts - is implementation-specific. + When the `AllowCredentials` field is true and `AllowHeaders` field + specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. A Gateway + implementation may choose to add implementation-specific default headers. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - codes: - description: |- - Codes defines the HTTP response status codes for which a backend request - should be retried. + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - Support: Extended - items: - description: |- - HTTPRouteRetryStatusCode defines an HTTP response status code for - which a backend request should be retried. + Valid values include: - Implementations MUST support the following status codes as retryable: + * "Authorization" + * "Set-Cookie" - * 500 - * 502 - * 503 - * 504 + Invalid values include: - Implementations MAY support specifying additional discrete values in the - 500-599 range. + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. - Implementations MAY support specifying discrete values in the 400-499 range, - which are often inadvisable to retry. - maximum: 599 - minimum: 400 - type: integer - type: array - type: object - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the route rule. + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + Method names are case sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. - Defaults to "Session". + The `Access-Control-Allow-Methods` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Support: Core for "Session" type + When the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. A Gateway implementation may + choose to add implementation-specific default methods. - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. + Valid values for scheme are: `http` and `https`. - Support: Core for "Cookie" type + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - timeouts: - description: |- - Timeouts defines the timeouts that can be configured for an HTTP request. + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: - Support: Extended - properties: - backendRequest: - description: |- - BackendRequest specifies a timeout for an individual request from the gateway - to a backend. This covers the time from when the request first starts being - sent from the gateway to when the full response has been received from the backend. + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. - An entire client HTTP transaction with a gateway, covered by the Request timeout, - may result in more than one call from the gateway to the destination backend, - for example, if automatic retries are supported. + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. - The value of BackendRequest must be a Gateway API Duration string as defined by - GEP-2257. When this field is unspecified, its behavior is implementation-specific; - when specified, the value of BackendRequest must be no more than the value of the - Request timeout (since the Request timeout encompasses the BackendRequest timeout). + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - request: - description: |- - Request specifies the maximum duration for a gateway to respond to an HTTP request. - If the gateway has not been able to respond before this deadline is met, the gateway - MUST return a timeout error. + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. - For example, setting the `rules.timeouts.request` field to the value `10s` in an - `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds - to complete. + The `Access-Control-Allow-Origin` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. + When the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. - This timeout is intended to cover as close to the whole request-response transaction - as possible although an implementation MAY choose to start the timeout after the entire - request stream has been received instead of immediately after the transaction is - initiated by the client. + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. - The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - field is unspecified, request timeout behavior is implementation-specific. + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - type: object - x-kubernetes-validations: - - message: backendRequest timeout cannot be longer than request - timeout - rule: '!(has(self.request) && has(self.backendRequest) && - duration(self.request) != duration(''0s'') && duration(self.backendRequest) - > duration(self.request))' - type: object - x-kubernetes-validations: - - message: RequestRedirect filter must not be used together with - backendRefs - rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? - (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): - true' - - message: When using RequestRedirect filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - ? ((size(self.matches) != 1 || !has(self.matches[0].path) || - self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: When using URLRewrite filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - - message: Within backendRefs, when using RequestRedirect filter - with path.replacePrefixMatch, exactly one PathPrefix match must - be specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) - || self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: Within backendRefs, When using URLRewrite filter with - path.replacePrefixMatch, exactly one PathPrefix match must be - specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: While 16 rules and 64 matches per rule are allowed, the - total number of matches across all rules in a route must be less - than 128 - rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() - > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() - : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() - > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() - : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() - > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() - : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() - > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() - : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() - > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() - : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - type: object - status: - description: Status defines the current state of HTTPRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + Header names are not case sensitive. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + Valid values include: - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. + * "Authorization" + * "Set-Cookie" - Example: "example.net/gateway-controller". + Invalid values include: - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. - There are two kinds of parent resources with "Core" support: + This filter can be used multiple times within the same rule. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. + If there is any problem communicating with the external service, + this filter MUST fail closed. - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. + Support: Extended + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Defaults to "Service" when not specified. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + If this list is empty, then all headers must be sent. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: + If the list has entries, only those entries must be sent. + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + When empty or unspecified, no prefix is added. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - required: - - parents - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.hostnames - name: Hostnames - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HTTPRoute provides a way to route HTTP requests. This includes the capability - to match requests by hostname, path, header, or query param. Filters can be - used to specify additional processing steps. Backends specify where matching - requests should be routed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of HTTPRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames that should match against the HTTP Host - header to select a HTTPRoute used to process the request. Implementations - MUST ignore any port value specified in the HTTP Host header while - performing a match and (absent of any applicable header modification - configuration) MUST forward this header unmodified to the backend. + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. - Valid values for Hostnames are determined by RFC 1123 definition of a - hostname with 2 notable exceptions: + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. - If a hostname is specified by both the Listener and HTTPRoute, there - must be at least one intersecting hostname for the HTTPRoute to be - attached to the Listener. For example: + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol + is set to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) + : true' + - message: protocol must be 'GRPC' when grpc is + set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' + : true' + - message: http must be specified when protocol + is set to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) + : true' + - message: protocol must be 'HTTP' when http is + set + rule: 'has(self.http) ? self.protocol == ''HTTP'' + : true' + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. - * A Listener with `test.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `*.example.com`, `test.example.com`, and `foo.test.example.com` would - all match. On the other hand, `example.com` and `test.example.net` would - not match. + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + Input: + GET /foo HTTP/1.1 + my-header: foo - If both the Listener and HTTPRoute have specified hostnames, any - HTTPRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - HTTPRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + Config: + add: + - name: "my-header" + value: "bar,baz" - If both the Listener and HTTPRoute have specified hostnames, and none - match with the criteria above, then the HTTPRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. - overlapping wildcard matching and exact matching hostnames), precedence must - be given to rules from the HTTPRoute with the largest number of: + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - If ties exist across multiple Routes, the matching precedence rules for - HTTPRouteMatches takes over. + Config: + remove: ["my-header1", "my-header3"] - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Input: + GET /foo HTTP/1.1 + my-header: foo - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + Config: + set: + - name: "my-header" + value: "bar" - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - There are two kinds of parent resources with "Core" support: + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. - ParentRefs must be _distinct_. This means either that: + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. - Some examples: + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Extended for Kubernetes Service - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + Defaults to "Service" when not specified. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Support: Core (Services with a type other than ExternalName) - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - This API may be extended in the future to support additional kinds of parent - resources. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). - There are two kinds of parent resources with "Core" support: + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. + If no port is specified, the redirect port MUST be derived using the + following rules: - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - default: - - matches: - - path: - type: PathPrefix - value: / - description: Rules are a list of HTTP matchers, filters and actions. - items: - description: |- - HTTPRouteRule defines semantics for matching an HTTP request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. + Input: + GET /foo HTTP/1.1 + my-header: foo - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive a 500 status code. + Config: + add: + - name: "my-header" + value: "bar,baz" - See the HTTPBackendRef definition for the rules about what makes a single - HTTPBackendRef invalid. + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive a 500 status code. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic must receive a 500. Implementations may - choose how that 50 percent is determined. + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - When a HTTPBackendRef refers to a Service that has no ready endpoints, - implementations SHOULD return a 503 for requests to that backend instead. - If an implementation chooses to do this, all of the above rules for 500 responses - MUST also apply for responses that return a 503. + Config: + remove: ["my-header1", "my-header3"] - Support: Core for Kubernetes Service + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - Support: Extended for Kubernetes ServiceImport + Input: + GET /foo HTTP/1.1 + my-header: foo - Support: Implementation-specific for any other resource + Config: + set: + - name: "my-header" + value: "bar" - Support for weight: Core - items: - description: |- - HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: - filters: - description: |- - Filters defined at this level should be executed if and only if the - request is being forwarded to the backend defined here. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Support: Implementation-specific (For broader support of filters, use the - Filters field in HTTPRouteRule.) - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - cors: + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + - ExternalAuth + type: string + urlRewrite: description: |- - CORS defines a schema for a filter that responds to the - cross-origin request based on HTTP response header. + URLRewrite defines a schema for a filter that modifies a request during forwarding. Support: Extended properties: - allowCredentials: + hostname: description: |- - AllowCredentials indicates whether the actual cross-origin request allows - to include credentials. - - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). - - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + Hostname is the value to be used to replace the Host header value during + forwarding. Support: Extended - enum: - - true - type: boolean - allowHeaders: + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: description: |- - AllowHeaders indicates which HTTP request headers are supported for - accessing the requested resource. - - Header names are not case sensitive. - - Multiple header names in the value of the `Access-Control-Allow-Headers` - response header are separated by a comma (","). - - When the `AllowHeaders` field is configured with one or more headers, the - gateway must return the `Access-Control-Allow-Headers` response header - which value is present in the `AllowHeaders` field. + Path defines a path rewrite. - If any header name in the `Access-Control-Request-Headers` request header - is not included in the list of header names specified by the response - header `Access-Control-Allow-Headers`, it will present an error on the - client side. + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - If any header name in the `Access-Control-Allow-Headers` response header - does not recognize by the client, it will also occur an error on the - client side. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more - HTTP headers in the value of the `Access-Control-Allow-Headers` response - header. The value of the header `Access-Control-Allow-Headers` is same as - the `Access-Control-Request-Headers` header provided by the client. If - the header `Access-Control-Request-Headers` is not included in the - request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - Support: Extended - items: - description: |- - HTTPHeaderName is the name of an HTTP header. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - Valid values include: + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: filter.externalAuth must be nil if the filter.type + is not ExternalAuth + rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' + - message: filter.externalAuth must be specified for + ExternalAuth filter.type + rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - * "Authorization" - * "Set-Cookie" + Defaults to "Service" when not specified. - Invalid values include: + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - allowMethods: - description: |- - AllowMethods indicates which HTTP methods are supported for accessing the - requested resource. + Support: Core (Services with a type other than ExternalName) - Valid values are any method defined by RFC9110, along with the special - value `*`, which represents all HTTP methods are allowed. + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Method names are case sensitive, so these values are also case-sensitive. - (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Multiple method names in the value of the `Access-Control-Allow-Methods` - response header are separated by a comma (","). + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. - A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - CORS-safelisted methods are always allowed, regardless of whether they - are specified in the `AllowMethods` field. + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. - When the `AllowMethods` field is configured with one or more methods, the - gateway must return the `Access-Control-Allow-Methods` response header - which value is present in the `AllowMethods` field. + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. - If the HTTP method of the `Access-Control-Request-Method` request header - is not included in the list of methods specified by the response header - `Access-Control-Allow-Methods`, it will present an error on the client - side. + Wherever possible, implementations SHOULD implement filters in the order + they are specified. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that cannot be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. - When the `AllowCredentials` field is specified and `AllowMethods` field - specified with the `*` wildcard, the gateway must specify one HTTP method - in the value of the Access-Control-Allow-Methods response header. The - value of the header `Access-Control-Allow-Methods` is same as the - `Access-Control-Request-Method` header provided by the client. If the - header `Access-Control-Request-Method` is not included in the request, - the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. - Support: Extended - items: - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - - '*' - type: string - maxItems: 9 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: AllowMethods cannot contain '*' alongside - other methods - rule: '!(''*'' in self && self.size() > 1)' - allowOrigins: - description: |- - AllowOrigins indicates whether the response can be shared with requested - resource from the given `Origin`. + Conformance-levels at this level are defined based on the type of filter: - The `Origin` consists of a scheme and a host, with an optional port, and - takes the form `://(:)`. + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. - Valid values for scheme are: `http` and `https`. + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. - Valid values for port are any integer between 1 and 65535 (the list of - available TCP/UDP ports). Note that, if not included, port `80` is - assumed for `http` scheme origins, and port `443` is assumed for `https` - origins. This may affect origin matching. + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation cannot support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. - The host part of the origin may contain the wildcard character `*`. These - wildcard characters behave as follows: + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. - * `*` is a greedy match to the _left_, including any number of - DNS labels to the left of its position. This also means that - `*` will include any number of period `.` characters to the - left of its position. - * A wildcard by itself matches all hosts. + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. - An origin value that includes _only_ the `*` character indicates requests - from all `Origin`s are allowed. + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - When the `AllowOrigins` field is configured with multiple origins, it - means the server supports clients from multiple origins. If the request - `Origin` matches the configured allowed origins, the gateway must return - the given `Origin` and sets value of the header - `Access-Control-Allow-Origin` same as the `Origin` header provided by the - client. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). - The status code of a successful response to a "preflight" request is - always an OK status (i.e., 204 or 200). + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. - If the request `Origin` does not match the configured allowed origins, - the gateway returns 204/200 response but doesn't set the relevant - cross-origin response headers. Alternatively, the gateway responds with - 403 status to the "preflight" request is denied, coupled with omitting - the CORS headers. The cross-origin request fails on the client side. - Therefore, the client doesn't attempt the actual cross-origin request. + Header names are not case sensitive. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). - When the `AllowCredentials` field is specified and `AllowOrigins` field - specified with the `*` wildcard, the gateway must return a single origin - in the value of the `Access-Control-Allow-Origin` response header, - instead of specifying the `*` wildcard. The value of the header - `Access-Control-Allow-Origin` is same as the `Origin` header provided by - the client. + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. - Support: Extended - items: - description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or - IP address as the host. - maxLength: 253 - minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - exposeHeaders: - description: |- - ExposeHeaders indicates which HTTP response headers can be exposed - to client-side scripts in response to a cross-origin request. + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. - A CORS-safelisted response header is an HTTP header in a CORS response - that it is considered safe to expose to the client scripts. - The CORS-safelisted response headers include the following headers: - `Cache-Control` - `Content-Language` - `Content-Length` - `Content-Type` - `Expires` - `Last-Modified` - `Pragma` - (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - The CORS-safelisted response headers are exposed to client by default. + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. - When an HTTP header name is specified using the `ExposeHeaders` field, - this additional header will be exposed as part of the response to the - client. + A wildcard indicates that the requests with all HTTP headers are allowed. + The `Access-Control-Allow-Headers` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Header names are not case sensitive. + When the `AllowCredentials` field is true and `AllowHeaders` field + specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. A Gateway + implementation may choose to add implementation-specific default headers. - Multiple header names in the value of the `Access-Control-Expose-Headers` - response header are separated by a comma (","). + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - A wildcard indicates that the responses with all HTTP headers are exposed - to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + Valid values include: - Support: Extended - items: - description: |- - HTTPHeaderName is the name of an HTTP header. + * "Authorization" + * "Set-Cookie" - Valid values include: + Invalid values include: - * "Authorization" - * "Set-Cookie" + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. - Invalid values include: + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - maxAge: - default: 5 - description: |- - MaxAge indicates the duration (in seconds) for the client to cache the - results of a "preflight" request. + Method names are case sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - The information provided by the `Access-Control-Allow-Methods` and - `Access-Control-Allow-Headers` response headers can be cached by the - client until the time specified by `Access-Control-Max-Age` elapses. + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). - The default value of `Access-Control-Max-Age` response header is 5 - (seconds). - format: int32 - minimum: 1 - type: integer - type: object - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. - This filter can be used multiple times within the same rule. + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + The `Access-Control-Allow-Methods` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - Input: - GET /foo HTTP/1.1 - my-header: foo + When the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. A Gateway implementation may + choose to add implementation-specific default methods. - Config: - add: - - name: "my-header" - value: "bar,baz" + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Valid values for scheme are: `http` and `https`. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. - Config: - remove: ["my-header1", "my-header3"] + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. - Input: - GET /foo HTTP/1.1 - my-header: foo + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. - Config: - set: - - name: "my-header" - value: "bar" + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. + The `Access-Control-Allow-Origin` response header can only use `*` + wildcard as value when the `AllowCredentials` field is false or omitted. - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. + When the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. + Header names are not case sensitive. - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). - Support: Extended for Kubernetes Service + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. - Defaults to "Service" when not specified. + Valid values include: - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + * "Authorization" + * "Set-Cookie" - Support: Core (Services with a type other than ExternalName) + Invalid values include: - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. + If there is any problem communicating with the external service, + this filter MUST fail closed. - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. + Support: Extended + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + Defaults to "Service" when not specified. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + Support: Core (Services with a type other than ExternalName) - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - If no port is specified, the redirect port MUST be derived using the - following rules: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + If this list is empty, then all headers must be sent. - Support: Extended - enum: - - http - - https + If the list has entries, only those entries must be sent. + items: type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. + + When empty or unspecified, no prefix is added. + + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. + + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto + + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. + + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol is set + to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) : + true' + - message: protocol must be 'GRPC' when grpc is set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' : + true' + - message: http must be specified when protocol is set + to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) : + true' + - message: protocol must be 'HTTP' when http is set + rule: 'has(self.http) ? self.protocol == ''HTTP'' : + true' + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. + Config: + add: + - name: "my-header" + value: "bar,baz" - Support: Extended + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. properties: - add: + name: description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Config: - add: - - name: "my-header" - value: "bar,baz" + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Config: + remove: ["my-header1", "my-header3"] - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. - Config: - remove: ["my-header1", "my-header3"] + Input: + GET /foo HTTP/1.1 + my-header: foo - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set + Config: set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" + - name: "my-header" + value: "bar" - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - - CORS - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + Support: Extended for Kubernetes Service - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + Defaults to "Service" when not specified. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Support: Core (Services with a type other than ExternalName) - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the - filter.type is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != - ''RequestRedirect'')' - - message: filter.requestRedirect must be specified - for RequestRedirect filter.type - rule: '!(!has(self.requestRedirect) && self.type == - ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') - && self.exists(f, f.type == ''URLRewrite''))' - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') - && self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() - <= 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Defaults to "Service" when not specified. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. - Support: Core (Services with a type other than ExternalName) + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - filters: - description: |- - Filters define the filters that are applied to requests that match - this rule. + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - Wherever possible, implementations SHOULD implement filters in the order - they are specified. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - Implementations MAY choose to implement this ordering strictly, rejecting - any combination or order of filters that cannot be supported. If implementations - choose a strict interpretation of filter ordering, they MUST clearly document - that behavior. + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - To reject an invalid combination or order of filters, implementations SHOULD - consider the Route Rules with this configuration invalid. If all Route Rules - in a Route are invalid, the entire Route would be considered invalid. If only - a portion of Route Rules are invalid, implementations MUST set the - "PartiallyInvalid" condition for the Route. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - Conformance-levels at this level are defined based on the type of filter: + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - - ALL core filters MUST be supported by all implementations. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. + If no port is specified, the redirect port MUST be derived using the + following rules: - All filters are expected to be compatible with each other except for the - URLRewrite and RequestRedirect filters, which may not be combined. If an - implementation cannot support other combinations of filters, they must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. - Support: Core - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - cors: - description: |- - CORS defines a schema for a filter that responds to the - cross-origin request based on HTTP response header. + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: - Support: Extended - properties: - allowCredentials: + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: description: |- - AllowCredentials indicates whether the actual cross-origin request allows - to include credentials. + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. Support: Extended enum: - - true - type: boolean - allowHeaders: + - http + - https + type: string + statusCode: + default: 302 description: |- - AllowHeaders indicates which HTTP request headers are supported for - accessing the requested resource. - - Header names are not case sensitive. + StatusCode is the HTTP status code to be used in response. - Multiple header names in the value of the `Access-Control-Allow-Headers` - response header are separated by a comma (","). + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - When the `AllowHeaders` field is configured with one or more headers, the - gateway must return the `Access-Control-Allow-Headers` response header - which value is present in the `AllowHeaders` field. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. - If any header name in the `Access-Control-Request-Headers` request header - is not included in the list of header names specified by the response - header `Access-Control-Allow-Headers`, it will present an error on the - client side. + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. - If any header name in the `Access-Control-Allow-Headers` response header - does not recognize by the client, it will also occur an error on the - client side. + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. - A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Input: + GET /foo HTTP/1.1 + my-header: foo - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more - HTTP headers in the value of the `Access-Control-Allow-Headers` response - header. The value of the header `Access-Control-Allow-Headers` is same as - the `Access-Control-Request-Headers` header provided by the client. If - the header `Access-Control-Request-Headers` is not included in the - request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + Config: + add: + - name: "my-header" + value: "bar,baz" - Support: Extended + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz items: - description: |- - HTTPHeaderName is the name of an HTTP header. + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Valid values include: + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - * "Authorization" - * "Set-Cookie" + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz - Invalid values include: + Config: + remove: ["my-header1", "my-header3"] - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: type: string - maxItems: 64 + maxItems: 16 type: array x-kubernetes-list-type: set - allowMethods: + set: description: |- - AllowMethods indicates which HTTP methods are supported for accessing the - requested resource. + Set overwrites the request with the given header (name, value) + before the action. - Valid values are any method defined by RFC9110, along with the special - value `*`, which represents all HTTP methods are allowed. + Input: + GET /foo HTTP/1.1 + my-header: foo - Method names are case sensitive, so these values are also case-sensitive. - (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + Config: + set: + - name: "my-header" + value: "bar" - Multiple method names in the value of the `Access-Control-Allow-Methods` - response header are separated by a comma (","). + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - CORS-safelisted methods are always allowed, regardless of whether they - are specified in the `AllowMethods` field. + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: - When the `AllowMethods` field is configured with one or more methods, the - gateway must return the `Access-Control-Allow-Methods` response header - which value is present in the `AllowMethods` field. + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. - If the HTTP method of the `Access-Control-Request-Method` request header - is not included in the list of methods specified by the response header - `Access-Control-Allow-Methods`, it will present an error on the client - side. + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + - ExternalAuth + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. - When the `AllowCredentials` field is specified and `AllowMethods` field - specified with the `*` wildcard, the gateway must specify one HTTP method - in the value of the Access-Control-Allow-Methods response header. The - value of the header `Access-Control-Allow-Methods` is same as the - `Access-Control-Request-Method` header provided by the client. If the - header `Access-Control-Request-Method` is not included in the request, - the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. Support: Extended - items: - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - - '*' - type: string - maxItems: 9 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: AllowMethods cannot contain '*' alongside - other methods - rule: '!(''*'' in self && self.size() > 1)' - allowOrigins: + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: description: |- - AllowOrigins indicates whether the response can be shared with requested - resource from the given `Origin`. - - The `Origin` consists of a scheme and a host, with an optional port, and - takes the form `://(:)`. + Path defines a path rewrite. - Valid values for scheme are: `http` and `https`. + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". - Valid values for port are any integer between 1 and 65535 (the list of - available TCP/UDP ports). Note that, if not included, port `80` is - assumed for `http` scheme origins, and port `443` is assumed for `https` - origins. This may affect origin matching. + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. - The host part of the origin may contain the wildcard character `*`. These - wildcard characters behave as follows: + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. - * `*` is a greedy match to the _left_, including any number of - DNS labels to the left of its position. This also means that - `*` will include any number of period `.` characters to the - left of its position. - * A wildcard by itself matches all hosts. + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. - An origin value that includes _only_ the `*` character indicates requests - from all `Origin`s are allowed. + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. - When the `AllowOrigins` field is configured with multiple origins, it - means the server supports clients from multiple origins. If the request - `Origin` matches the configured allowed origins, the gateway must return - the given `Origin` and sets value of the header - `Access-Control-Allow-Origin` same as the `Origin` header provided by the - client. + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: filter.externalAuth must be nil if the filter.type + is not ExternalAuth + rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' + - message: filter.externalAuth must be specified for ExternalAuth + filter.type + rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. - The status code of a successful response to a "preflight" request is - always an OK status (i.e., 204 or 200). + For example, take the following matches configuration: - If the request `Origin` does not match the configured allowed origins, - the gateway returns 204/200 response but doesn't set the relevant - cross-origin response headers. Alternatively, the gateway responds with - 403 status to the "preflight" request is denied, coupled with omitting - the CORS headers. The cross-origin request fails on the client side. - Therefore, the client doesn't attempt the actual cross-origin request. + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: - When the `AllowCredentials` field is specified and `AllowOrigins` field - specified with the `*` wildcard, the gateway must return a single origin - in the value of the `Access-Control-Allow-Origin` response header, - instead of specifying the `*` wildcard. The value of the header - `Access-Control-Allow-Origin` is same as the `Origin` header provided by - the client. + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` - Support: Extended - items: - description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or - IP address as the host. - maxLength: 253 - minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - exposeHeaders: - description: |- - ExposeHeaders indicates which HTTP response headers can be exposed - to client-side scripts in response to a cross-origin request. + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. - A CORS-safelisted response header is an HTTP header in a CORS response - that it is considered safe to expose to the client scripts. - The CORS-safelisted response headers include the following headers: - `Cache-Control` - `Content-Language` - `Content-Length` - `Content-Type` - `Expires` - `Last-Modified` - `Pragma` - (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - The CORS-safelisted response headers are exposed to client by default. + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. - When an HTTP header name is specified using the `ExposeHeaders` field, - this additional header will be exposed as part of the response to the - client. + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: - Header names are not case sensitive. + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. - Multiple header names in the value of the `Access-Control-Expose-Headers` - response header are separated by a comma (","). + Note: The precedence of RegularExpression path matches are implementation-specific. - A wildcard indicates that the responses with all HTTP headers are exposed - to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: - Support: Extended - items: - description: |- - HTTPHeaderName is the name of an HTTP header. + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". - Valid values include: + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. - * "Authorization" - * "Set-Cookie" + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - Invalid values include: + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. - - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo - headers are not currently supported by this type. - - "/invalid" - "/ " is an invalid character + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string - maxItems: 64 - type: array - x-kubernetes-list-type: set - maxAge: - default: 5 - description: |- - MaxAge indicates the duration (in seconds) for the client to cache the - results of a "preflight" request. + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. - The information provided by the `Access-Control-Allow-Methods` and - `Access-Control-Allow-Headers` response headers can be cached by the - client until the time specified by `Access-Control-Max-Age` elapses. + Support: Core (Exact) - The default value of `Access-Control-Max-Age` response header is 5 - (seconds). - format: int32 - minimum: 1 - type: integer - type: object - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + Support: Implementation-specific (RegularExpression) - This filter can be used multiple times within the same rule. + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. - Support: Implementation-specific + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: - group: + type: + default: PathPrefix description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 type: string - required: - - group - - kind - - name type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. - Input: - GET /foo HTTP/1.1 - my-header: foo + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). - Config: - add: - - name: "my-header" - value: "bar,baz" + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Support: Extended (Exact) - Config: - remove: ["my-header1", "my-header3"] + Support: Implementation-specific (RegularExpression) - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. - Input: - GET /foo HTTP/1.1 - my-header: foo + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |- + Retry defines the configuration for when to retry an HTTP request. - Config: - set: - - name: "my-header" - value: "bar" + Support: Extended + properties: + attempts: + description: |- + Attempts specifies the maximum number of times an individual request + from the gateway to a backend should be retried. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. + Implementations MUST support the following status codes as retryable: - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. + * 500 + * 502 + * 503 + * 504 - Support: Extended for Kubernetes Service + Implementations MAY support specifying additional discrete values in the + 500-599 range. - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + maximum: 599 + minimum: 400 + type: integer + type: array + x-kubernetes-list-type: atomic + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the route rule. - Defaults to "Service" when not specified. + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. - Support: Core (Services with a type other than ExternalName) + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. + Defaults to "Session". - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal to - denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). + Support: Core for "Session" type - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be specified - in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + Support: Core for "Cookie" type - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). - If no port is specified, the redirect port MUST be derived using the - following rules: + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Config: - add: - - name: "my-header" - value: "bar,baz" + Example: "example.net/gateway-controller". - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Config: - remove: ["my-header1", "my-header3"] + There are two kinds of parent resources with "Core" support: - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Input: - GET /foo HTTP/1.1 - my-header: foo + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Config: - set: - - name: "my-header" - value: "bar" + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - - CORS - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the filter.type - is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' - - message: filter.requestRedirect must be specified for RequestRedirect - filter.type - rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') && - self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() <= - 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 - matches: - default: - - path: - type: PathPrefix - value: / - description: |- - Matches define conditions used for matching the rule against incoming - HTTP requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - For example, take the following matches configuration: + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. - ``` - matches: - - path: - value: "/foo" - headers: - - name: "version" - value: "v2" - - path: - value: "/v2/foo" - ``` + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. - For a request to match against this rule, a request must satisfy - EITHER of the two conditions: + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. - - path prefixed with `/foo` AND contains the header `version: v2` - - path prefix of `/v2/foo` + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - See the documentation for HTTPRouteMatch on how to specify multiple - match conditions that should be ANDed together. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - If no matches are specified, the default is a prefix - path match on "/", which has the effect of matching every - HTTP request. + When used to permit a SecretObjectReference: - Proxy or Load Balancer routing configuration generated from HTTPRoutes - MUST prioritize matches based on the following criteria, continuing on - ties. Across all rules specified on applicable Routes, precedence must be - given to the match having: + * Gateway - * "Exact" path match. - * "Prefix" path match with largest number of characters. - * Method match. - * Largest number of header matches. - * Largest number of query param matches. + When used to permit a BackendObjectReference: - Note: The precedence of RegularExpression path matches are implementation-specific. + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - If ties still exist within an HTTPRoute, matching precedence MUST be granted - to the FIRST matching rule (in list order) with a match meeting the above - criteria. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - When no rules matching a request have been successfully attached to the - parent a request is coming from, a HTTP 404 status code MUST be returned. - items: - description: "HTTPRouteMatch defines the predicate used to - match requests to a given\naction. Multiple match types - are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\nFor example, the - match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n```" - properties: - headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. - items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. + There are two kinds of parent resources with "Core" support: - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the header. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Core (Exact) + This API may be extended in the future to support additional kinds of parent + resources. - Support: Implementation-specific (RegularExpression) + ParentRefs must be _distinct_. This means either that: - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP Header to - be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Support: Extended - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - type: string - path: - default: - type: PathPrefix - value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. - properties: - type: - default: PathPrefix - description: |- - Type specifies how to match against the path Value. + Some examples: - Support: Core (Exact, PathPrefix) + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - PathPrefix - - RegularExpression - type: string - value: - default: / - description: Value of the HTTP path to match against. - maxLength: 1024 - type: string - type: object - x-kubernetes-validations: - - message: value must be an absolute path and start with - '/' when type one of ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') - : true' - - message: must not contain '//' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') - : true' - - message: must not contain '/./' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') - : true' - - message: must not contain '/../' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') - : true' - - message: must not contain '%2f' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') - : true' - - message: must not contain '%2F' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') - : true' - - message: must not contain '#' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') - : true' - - message: must not end with '/..' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') - : true' - - message: must not end with '/.' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') - : true' - - message: type must be one of ['Exact', 'PathPrefix', - 'RegularExpression'] - rule: self.type in ['Exact','PathPrefix'] || self.type - == 'RegularExpression' - - message: must only contain valid characters (matching - ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) - for types ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") - : true' - queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - Support: Extended - items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. - properties: - name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the query parameter. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - Support: Extended (Exact) + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Implementation-specific (RegularExpression) + This API may be extended in the future to support additional kinds of parent + resources. - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP query param - to be matched. - maxLength: 1024 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - maxItems: 64 - type: array - name: + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Support: Extended + Support: Core maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - retry: + kind: + default: Gateway description: |- - Retry defines the configuration for when to retry an HTTP request. + Kind is kind of the referent. - Support: Extended - properties: - attempts: - description: |- - Attempts specifies the maximum number of times an individual request - from the gateway to a backend should be retried. + There are two kinds of parent resources with "Core" support: - If the maximum number of retries has been attempted without a successful - response from the backend, the Gateway MUST return an error. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - When this field is unspecified, the number of times to attempt to retry - a backend request is implementation-specific. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Extended - type: integer - backoff: - description: |- - Backoff specifies the minimum duration a Gateway should wait between - retry attempts and is represented in Gateway API Duration formatting. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - For example, setting the `rules[].retry.backoff` field to the value - `100ms` will cause a backend request to first be retried approximately - 100 milliseconds after timing out or receiving a response code configured - to be retryable. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - An implementation MAY use an exponential or alternative backoff strategy - for subsequent retry attempts, MAY cap the maximum backoff duration to - some amount greater than the specified minimum, and MAY add arbitrary - jitter to stagger requests, as long as unsuccessful backend requests are - not retried before the configured minimum duration. - If a Request timeout (`rules[].timeouts.request`) is configured on the - route, the entire duration of the initial request and any retry attempts - MUST not exceed the Request timeout duration. If any retry attempts are - still in progress when the Request timeout duration has been reached, - these SHOULD be canceled if possible and the Gateway MUST immediately - return a timeout error. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - configured on the route, any retry attempts which reach the configured - BackendRequest timeout duration without a response SHOULD be canceled if - possible and the Gateway should wait for at least the specified backoff - duration before attempting to retry the backend request again. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - If a BackendRequest timeout is _not_ configured on the route, retry - attempts MAY time out after an implementation default duration, or MAY - remain pending until a configured Request timeout or implementation - default duration for total request time is reached. - When this field is unspecified, the time to wait between retry attempts - is implementation-specific. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - codes: - description: |- - Codes defines the HTTP response status codes for which a backend request - should be retried. + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Support: Extended - items: - description: |- - HTTPRouteRetryStatusCode defines an HTTP response status code for - which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - * 500 - * 502 - * 503 - * 504 - Implementations MAY support specifying additional discrete values in the - 500-599 range. + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - Implementations MAY support specifying discrete values in the 400-499 range, - which are often inadvisable to retry. - maximum: 599 - minimum: 400 - type: integer - type: array - type: object - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the route rule. + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + Support: Core for Kubernetes Service - Defaults to "Session". + Support: Extended for Kubernetes ServiceImport - Support: Core for "Session" type + Support: Implementation-specific for any other resource - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. - Support: Core for "Cookie" type + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - timeouts: - description: |- - Timeouts defines the timeouts that can be configured for an HTTP request. + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - Support: Extended - properties: - backendRequest: - description: |- - BackendRequest specifies a timeout for an individual request from the gateway - to a backend. This covers the time from when the request first starts being - sent from the gateway to when the full response has been received from the backend. + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - An entire client HTTP transaction with a gateway, covered by the Request timeout, - may result in more than one call from the gateway to the destination backend, - for example, if automatic retries are supported. - The value of BackendRequest must be a Gateway API Duration string as defined by - GEP-2257. When this field is unspecified, its behavior is implementation-specific; - when specified, the value of BackendRequest must be no more than the value of the - Request timeout (since the Request timeout encompasses the BackendRequest timeout). + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - request: - description: |- - Request specifies the maximum duration for a gateway to respond to an HTTP request. - If the gateway has not been able to respond before this deadline is met, the gateway - MUST return a timeout error. + Defaults to "Service" when not specified. - For example, setting the `rules.timeouts.request` field to the value `10s` in an - `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds - to complete. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. + Support: Core (Services with a type other than ExternalName) - This timeout is intended to cover as close to the whole request-response transaction - as possible although an implementation MAY choose to start the timeout after the entire - request stream has been received instead of immediately after the transaction is - initiated by the client. + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - field is unspecified, request timeout behavior is implementation-specific. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - type: object - x-kubernetes-validations: - - message: backendRequest timeout cannot be longer than request - timeout - rule: '!(has(self.request) && has(self.backendRequest) && - duration(self.request) != duration(''0s'') && duration(self.backendRequest) - > duration(self.request))' - type: object - x-kubernetes-validations: - - message: RequestRedirect filter must not be used together with - backendRefs - rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? - (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): - true' - - message: When using RequestRedirect filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - ? ((size(self.matches) != 1 || !has(self.matches[0].path) || - self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: When using URLRewrite filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - - message: Within backendRefs, when using RequestRedirect filter - with path.replacePrefixMatch, exactly one PathPrefix match must - be specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) - || self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: Within backendRefs, When using URLRewrite filter with - path.replacePrefixMatch, exactly one PathPrefix match must be - specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object maxItems: 16 + minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - - message: While 16 rules and 64 matches per rule are allowed, the - total number of matches across all rules in a route must be less - than 128 - rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() - > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() - : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() - > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() - : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() - > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() - : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() - > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() - : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() - > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() - : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' - message: Rule name must be unique within the route rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - rules type: object status: - description: Status defines the current state of HTTPRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -13356,234 +16582,43 @@ spec: Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - required: - - parents - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null - name: referencegrants.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants - shortNames: - - refgrant - singular: referencegrant - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. - - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. - - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. - - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of ReferenceGrant. - properties: - from: - description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. - - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. - - When used to permit a SecretObjectReference: - - * Gateway - - When used to permit a BackendObjectReference: - - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. - - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + interpreted. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object required: - - group - - kind + - conditions + - controllerName + - parentRef type: object - maxItems: 16 - minItems: 1 + maxItems: 32 type: array + x-kubernetes-list-type: atomic required: - - from - - to + - parents type: object + required: + - spec type: object served: true storage: true - subresources: {} + subresources: + status: {} status: acceptedNames: kind: "" @@ -13592,26 +16627,25 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null - name: tcproutes.gateway.networking.k8s.io + name: tlsroutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute scope: Namespaced versions: - additionalPrinterColumns: @@ -13622,9 +16656,12 @@ spec: schema: openAPIV3Schema: description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -13644,8 +16681,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TCPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -13858,6 +16953,7 @@ spec: type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: sectionName or port must be specified when parentRefs includes 2 or more references to the same parent @@ -13882,18 +16978,21 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TCP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: TCPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. Support: Core for Kubernetes Service @@ -14022,6 +17121,7 @@ spec: maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic name: description: |- Name is the name of the route rule. This name MUST be unique within a Route if it is set. @@ -14031,19 +17131,40 @@ spec: minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string + required: + - backendRefs type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: Rule name must be unique within the route rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: - rules type: object status: - description: Status defines the current state of TCPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -14305,11 +17426,13 @@ spec: - name type: object required: + - conditions - controllerName - parentRef type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic required: - parents type: object @@ -14317,44 +17440,14 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null - name: tlsroutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha3 schema: openAPIV3Schema: description: |- @@ -14387,11 +17480,11 @@ spec: properties: hostnames: description: |- - Hostnames defines a set of SNI names that should match against the + Hostnames defines a set of SNI hostnames that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed in SNI names per RFC 6066. + 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. @@ -14400,13 +17493,13 @@ spec: attached to the Listener. For example: * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. + that have specified at least one of `test.example.com` or + `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + that have specified at least one hostname that matches the Listener + hostname. For example, `test.example.com` and `*.example.com` would both + match. On the other hand, `example.com` and `test.example.net` would not + match. If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be @@ -14441,7 +17534,9 @@ spec: pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string maxItems: 16 + minItems: 1 type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -14654,6 +17749,7 @@ spec: type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: sectionName or port must be specified when parentRefs includes 2 or more references to the same parent @@ -14678,7 +17774,7 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of actions. items: description: TLSRouteRule is the configuration for a given rule. properties: @@ -14821,6 +17917,7 @@ spec: maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic name: description: |- Name is the name of the route rule. This name MUST be unique within a Route if it is set. @@ -14830,15 +17927,37 @@ spec: minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string + required: + - backendRefs type: object - maxItems: 16 + maxItems: 1 minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: Rule name must be unique within the route rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: + - hostnames - rules type: object status: @@ -15104,11 +18223,13 @@ spec: - name type: object required: + - conditions - controllerName - parentRef type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic required: - parents type: object @@ -15134,9 +18255,8 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: udproutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io @@ -15393,6 +18513,7 @@ spec: type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: sectionName or port must be specified when parentRefs includes 2 or more references to the same parent @@ -15557,6 +18678,7 @@ spec: maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic name: description: |- Name is the name of the route rule. This name MUST be unique within a Route if it is set. @@ -15566,14 +18688,35 @@ spec: minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string + required: + - backendRefs type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: Rule name must be unique within the route rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: - rules type: object @@ -15840,11 +18983,13 @@ spec: - name type: object required: + - conditions - controllerName - parentRef type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic required: - parents type: object @@ -15870,9 +19015,8 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null labels: gateway.networking.k8s.io/policy: Direct name: xbackendtrafficpolicies.gateway.networking.x-k8s.io @@ -16450,10 +19594,12 @@ spec: type: string required: - ancestorRef + - conditions - controllerName type: object maxItems: 16 type: array + x-kubernetes-list-type: atomic required: - ancestors type: object @@ -16479,9 +19625,8 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: xlistenersets.gateway.networking.x-k8s.io spec: group: gateway.networking.x-k8s.io @@ -16510,8 +19655,33 @@ spec: schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners - to attach to an existing Gateway. + XListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. + + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. + + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. + + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include an "AttachedListenerSets" condition + - This condition will be: + - True: when AllowedListeners is set and at least one child ListenerSet is attached + - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false + - Unknown: when no AllowedListeners config is present properties: apiVersion: description: |- @@ -16549,10 +19719,10 @@ spec: 1. "parent" Gateway 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by “{namespace}/{name}”. + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted`` condition to False with the Reason `TooManyListeners` + `Accepted` condition to False with the Reason `TooManyListeners` If a listener has a conflict, this will be reported in the Status.ListenerEntryStatus setting the `Conflicted` condition to True. @@ -16625,6 +19795,7 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic namespaces: default: from: Same @@ -16747,12 +19918,18 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string port: + default: 0 description: |- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. + + If the port is not set or specified as zero, the implementation will assign + a unique port. If the implementation does not support dynamic port + assignment, it MUST set `Accepted` condition to `False` with the + `UnsupportedPort` reason. format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer protocol: description: Protocol specifies the network protocol this listener @@ -16767,7 +19944,7 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is + The association of SNIs to Certificate defined in ListenerTLSConfig is defined based on the Hostname field for this listener. The GatewayClass MUST use the longest matching SNI out of all @@ -16830,115 +20007,29 @@ spec: name: description: Name is the name of the referent. maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - frontendValidation: - description: |- - FrontendValidation holds configuration information for validating the frontend (client). - Setting this field will require clients to send a client certificate - required for validation during the TLS handshake. In browsers this may result in a dialog appearing - that requests a user to specify the client certificate. - The maximum depth of a certificate chain accepted in verification is Implementation specific. - - Support: Extended - properties: - caCertificateRefs: - description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one reference, or other kinds - of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - items: - description: |- - ObjectReference identifies an API object including its namespace. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When set to the empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "ConfigMap" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - minItems: 1 - type: array - type: object + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic mode: default: Terminate description: |- @@ -16990,7 +20081,6 @@ spec: > 0 || size(self.options) > 0 : true' required: - name - - port - protocol type: object maxItems: 64 @@ -17290,6 +20380,7 @@ spec: type: object maxItems: 8 type: array + x-kubernetes-list-type: atomic required: - attachedRoutes - conditions @@ -17316,3 +20407,255 @@ status: plural: "" conditions: null storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: xmeshes.gateway.networking.x-k8s.io +spec: + group: gateway.networking.x-k8s.io + names: + categories: + - gateway-api + kind: XMesh + listKind: XMeshList + plural: xmeshes + shortNames: + - mesh + singular: xmesh + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: XMesh defines mesh-wide characteristics of a GAMMA-compliant + service mesh. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of XMesh. + properties: + controllerName: + description: |- + ControllerName is the name of a controller that is managing Gateway API + resources for mesh traffic management. The value of this field MUST be a + domain prefixed path. + + Example: "example.com/awesome-mesh". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description optionally provides a human-readable description + of a Mesh. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is an optional reference to a resource that contains + implementation-specific configuration for this Mesh. If no + implementation-specific parameters are needed, this field MUST be + omitted. + + ParametersRef can reference a standard Kubernetes resource, i.e. + ConfigMap, or an implementation-specific custom resource. The resource + can be cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the Mesh MUST be rejected + with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: Status defines the current state of XMesh. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions is the current status from the controller for + this Mesh. + + Controllers should prefer to publish conditions using values + of MeshConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: |- + SupportedFeatures is the set of features the Mesh support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/projects/gateway2/crds/tcproute-crd.yaml b/projects/gateway2/crds/tcproute-crd.yaml index c84fc94e944..af436a6c3c7 100644 --- a/projects/gateway2/crds/tcproute-crd.yaml +++ b/projects/gateway2/crds/tcproute-crd.yaml @@ -21,9 +21,8 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0 + gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: tcproutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io @@ -280,6 +279,7 @@ spec: type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: sectionName or port must be specified when parentRefs includes 2 or more references to the same parent @@ -444,6 +444,7 @@ spec: maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic name: description: |- Name is the name of the route rule. This name MUST be unique within a Route if it is set. @@ -453,14 +454,35 @@ spec: minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string + required: + - backendRefs type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: Rule name must be unique within the route rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: - rules type: object @@ -727,11 +749,13 @@ spec: - name type: object required: + - conditions - controllerName - parentRef type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic required: - parents type: object diff --git a/projects/gateway2/deployer/deployer_test.go b/projects/gateway2/deployer/deployer_test.go index 581ed254616..bc33815aa62 100644 --- a/projects/gateway2/deployer/deployer_test.go +++ b/projects/gateway2/deployer/deployer_test.go @@ -7,7 +7,6 @@ import ( envoy_config_bootstrap "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/types" @@ -24,6 +23,7 @@ import ( "github.com/solo-io/gloo/test/gomega/matchers" "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" "github.com/solo-io/solo-kit/pkg/utils/protoutils" + "go.uber.org/mock/gomock" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" diff --git a/projects/gateway2/proxy_syncer/proxy_syncer.go b/projects/gateway2/proxy_syncer/proxy_syncer.go index 3f0380af8a1..c345fe4e151 100644 --- a/projects/gateway2/proxy_syncer/proxy_syncer.go +++ b/projects/gateway2/proxy_syncer/proxy_syncer.go @@ -419,7 +419,7 @@ func (s *ProxySyncer) Init(ctx context.Context, dbg *krt.DebugHandler) error { kubeGateways := SetupCollectionDynamic[gwv1.Gateway]( ctx, s.istioClient, - istiogvr.KubernetesGateway_v1, + istiogvr.KubernetesGateway, krt.WithName("KubeGateways"), withDebug, ) diff --git a/projects/gateway2/query/httproute.go b/projects/gateway2/query/httproute.go index 2969f22274e..1de7deedefa 100644 --- a/projects/gateway2/query/httproute.go +++ b/projects/gateway2/query/httproute.go @@ -14,10 +14,12 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" gwv1 "sigs.k8s.io/gateway-api/apis/v1" gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwxv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" + "github.com/solo-io/gloo/pkg/schemes" "github.com/solo-io/gloo/projects/gateway2/translator/backendref" translator_types "github.com/solo-io/gloo/projects/gateway2/translator/types" "github.com/solo-io/gloo/projects/gateway2/utils" @@ -53,7 +55,19 @@ type RouteInfo struct { // GetKind returns the kind of the route. func (r RouteInfo) GetKind() string { - return r.Object.GetObjectKind().GroupVersionKind().Kind + if r.Object == nil { + return "" + } + + if gvk := r.Object.GetObjectKind().GroupVersionKind(); gvk.Kind != "" { + return gvk.Kind + } + + gvk, err := apiutil.GVKForObject(r.Object, schemes.GatewayScheme()) + if err != nil { + return "" + } + return gvk.Kind } // GetName returns the name of the route. @@ -531,7 +545,15 @@ func getListeners(resource client.Object) ([]gwv1.Listener, error) { func (r *gatewayQueries) processRoute(ctx context.Context, resource client.Object, route client.Object, ret *RoutesForGwResult) error { refs := getParentRefsForResource(resource, route) + // Get route kind using apiutil to ensure GVK is populated routeKind := route.GetObjectKind().GroupVersionKind().Kind + if routeKind == "" { + if gvk, err := apiutil.GVKForObject(route, r.scheme); err == nil { + routeKind = gvk.Kind + } else { + return fmt.Errorf("failed to get route kind: %w", err) + } + } listeners, err := getListeners(resource) if err != nil { @@ -649,6 +671,7 @@ func namespacedName(o Namespaced) types.NamespacedName { // // - HTTPRouteList // - TCPRouteList +// - TLSRouteList func getRouteItems(list client.ObjectList) ([]client.Object, error) { switch routes := list.(type) { case *gwv1.HTTPRouteList: diff --git a/projects/gateway2/query/mocks/mock_queries.go b/projects/gateway2/query/mocks/mock_queries.go index 658eacb9feb..ed4c27f78ab 100644 --- a/projects/gateway2/query/mocks/mock_queries.go +++ b/projects/gateway2/query/mocks/mock_queries.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gateway2/query (interfaces: GatewayQueries) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_queries.go -package mocks github.com/solo-io/gloo/projects/gateway2/query GatewayQueries +// // Package mocks is a generated GoMock package. package mocks @@ -8,9 +13,9 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" query "github.com/solo-io/gloo/projects/gateway2/query" types "github.com/solo-io/gloo/projects/gateway2/translator/types" + gomock "go.uber.org/mock/gomock" client "sigs.k8s.io/controller-runtime/pkg/client" v1 "sigs.k8s.io/gateway-api/apis/v1" ) @@ -19,6 +24,7 @@ import ( type MockGatewayQueries struct { ctrl *gomock.Controller recorder *MockGatewayQueriesMockRecorder + isgomock struct{} } // MockGatewayQueriesMockRecorder is the mock recorder for MockGatewayQueries. @@ -39,104 +45,104 @@ func (m *MockGatewayQueries) EXPECT() *MockGatewayQueriesMockRecorder { } // ConsolidateGateway mocks base method. -func (m *MockGatewayQueries) ConsolidateGateway(arg0 context.Context, arg1 *v1.Gateway) (*types.ConsolidatedGateway, error) { +func (m *MockGatewayQueries) ConsolidateGateway(ctx context.Context, gateway *v1.Gateway) (*types.ConsolidatedGateway, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ConsolidateGateway", arg0, arg1) + ret := m.ctrl.Call(m, "ConsolidateGateway", ctx, gateway) ret0, _ := ret[0].(*types.ConsolidatedGateway) ret1, _ := ret[1].(error) return ret0, ret1 } // ConsolidateGateway indicates an expected call of ConsolidateGateway. -func (mr *MockGatewayQueriesMockRecorder) ConsolidateGateway(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) ConsolidateGateway(ctx, gateway any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConsolidateGateway", reflect.TypeOf((*MockGatewayQueries)(nil).ConsolidateGateway), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConsolidateGateway", reflect.TypeOf((*MockGatewayQueries)(nil).ConsolidateGateway), ctx, gateway) } // GetBackendForRef mocks base method. -func (m *MockGatewayQueries) GetBackendForRef(arg0 context.Context, arg1 query.From, arg2 *v1.BackendObjectReference) (client.Object, error) { +func (m *MockGatewayQueries) GetBackendForRef(ctx context.Context, obj query.From, backendRef *v1.BackendObjectReference) (client.Object, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetBackendForRef", arg0, arg1, arg2) + ret := m.ctrl.Call(m, "GetBackendForRef", ctx, obj, backendRef) ret0, _ := ret[0].(client.Object) ret1, _ := ret[1].(error) return ret0, ret1 } // GetBackendForRef indicates an expected call of GetBackendForRef. -func (mr *MockGatewayQueriesMockRecorder) GetBackendForRef(arg0, arg1, arg2 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) GetBackendForRef(ctx, obj, backendRef any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBackendForRef", reflect.TypeOf((*MockGatewayQueries)(nil).GetBackendForRef), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBackendForRef", reflect.TypeOf((*MockGatewayQueries)(nil).GetBackendForRef), ctx, obj, backendRef) } // GetLocalObjRef mocks base method. -func (m *MockGatewayQueries) GetLocalObjRef(arg0 context.Context, arg1 query.From, arg2 v1.LocalObjectReference) (client.Object, error) { +func (m *MockGatewayQueries) GetLocalObjRef(ctx context.Context, from query.From, localObjRef v1.LocalObjectReference) (client.Object, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetLocalObjRef", arg0, arg1, arg2) + ret := m.ctrl.Call(m, "GetLocalObjRef", ctx, from, localObjRef) ret0, _ := ret[0].(client.Object) ret1, _ := ret[1].(error) return ret0, ret1 } // GetLocalObjRef indicates an expected call of GetLocalObjRef. -func (mr *MockGatewayQueriesMockRecorder) GetLocalObjRef(arg0, arg1, arg2 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) GetLocalObjRef(ctx, from, localObjRef any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLocalObjRef", reflect.TypeOf((*MockGatewayQueries)(nil).GetLocalObjRef), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLocalObjRef", reflect.TypeOf((*MockGatewayQueries)(nil).GetLocalObjRef), ctx, from, localObjRef) } // GetRouteChain mocks base method. -func (m *MockGatewayQueries) GetRouteChain(arg0 context.Context, arg1 client.Object, arg2 []string, arg3 v1.ParentReference) *query.RouteInfo { +func (m *MockGatewayQueries) GetRouteChain(ctx context.Context, obj client.Object, hostnames []string, parentRef v1.ParentReference) *query.RouteInfo { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetRouteChain", arg0, arg1, arg2, arg3) + ret := m.ctrl.Call(m, "GetRouteChain", ctx, obj, hostnames, parentRef) ret0, _ := ret[0].(*query.RouteInfo) return ret0 } // GetRouteChain indicates an expected call of GetRouteChain. -func (mr *MockGatewayQueriesMockRecorder) GetRouteChain(arg0, arg1, arg2, arg3 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) GetRouteChain(ctx, obj, hostnames, parentRef any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRouteChain", reflect.TypeOf((*MockGatewayQueries)(nil).GetRouteChain), arg0, arg1, arg2, arg3) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRouteChain", reflect.TypeOf((*MockGatewayQueries)(nil).GetRouteChain), ctx, obj, hostnames, parentRef) } // GetRoutesForConsolidatedGateway mocks base method. -func (m *MockGatewayQueries) GetRoutesForConsolidatedGateway(arg0 context.Context, arg1 *types.ConsolidatedGateway) (*query.RoutesForGwResult, error) { +func (m *MockGatewayQueries) GetRoutesForConsolidatedGateway(ctx context.Context, cgw *types.ConsolidatedGateway) (*query.RoutesForGwResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetRoutesForConsolidatedGateway", arg0, arg1) + ret := m.ctrl.Call(m, "GetRoutesForConsolidatedGateway", ctx, cgw) ret0, _ := ret[0].(*query.RoutesForGwResult) ret1, _ := ret[1].(error) return ret0, ret1 } // GetRoutesForConsolidatedGateway indicates an expected call of GetRoutesForConsolidatedGateway. -func (mr *MockGatewayQueriesMockRecorder) GetRoutesForConsolidatedGateway(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) GetRoutesForConsolidatedGateway(ctx, cgw any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRoutesForConsolidatedGateway", reflect.TypeOf((*MockGatewayQueries)(nil).GetRoutesForConsolidatedGateway), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRoutesForConsolidatedGateway", reflect.TypeOf((*MockGatewayQueries)(nil).GetRoutesForConsolidatedGateway), ctx, cgw) } // GetSecretForRef mocks base method. -func (m *MockGatewayQueries) GetSecretForRef(arg0 context.Context, arg1 query.From, arg2 v1.SecretObjectReference) (client.Object, error) { +func (m *MockGatewayQueries) GetSecretForRef(ctx context.Context, obj query.From, secretRef v1.SecretObjectReference) (client.Object, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetSecretForRef", arg0, arg1, arg2) + ret := m.ctrl.Call(m, "GetSecretForRef", ctx, obj, secretRef) ret0, _ := ret[0].(client.Object) ret1, _ := ret[1].(error) return ret0, ret1 } // GetSecretForRef indicates an expected call of GetSecretForRef. -func (mr *MockGatewayQueriesMockRecorder) GetSecretForRef(arg0, arg1, arg2 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) GetSecretForRef(ctx, obj, secretRef any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSecretForRef", reflect.TypeOf((*MockGatewayQueries)(nil).GetSecretForRef), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSecretForRef", reflect.TypeOf((*MockGatewayQueries)(nil).GetSecretForRef), ctx, obj, secretRef) } // ObjToFrom mocks base method. -func (m *MockGatewayQueries) ObjToFrom(arg0 client.Object) query.From { +func (m *MockGatewayQueries) ObjToFrom(obj client.Object) query.From { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ObjToFrom", arg0) + ret := m.ctrl.Call(m, "ObjToFrom", obj) ret0, _ := ret[0].(query.From) return ret0 } // ObjToFrom indicates an expected call of ObjToFrom. -func (mr *MockGatewayQueriesMockRecorder) ObjToFrom(arg0 interface{}) *gomock.Call { +func (mr *MockGatewayQueriesMockRecorder) ObjToFrom(obj any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ObjToFrom", reflect.TypeOf((*MockGatewayQueries)(nil).ObjToFrom), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ObjToFrom", reflect.TypeOf((*MockGatewayQueries)(nil).ObjToFrom), obj) } diff --git a/projects/gateway2/query/query_test.go b/projects/gateway2/query/query_test.go index 05e5b072a50..c3ab089086d 100644 --- a/projects/gateway2/query/query_test.go +++ b/projects/gateway2/query/query_test.go @@ -25,7 +25,7 @@ import ( "github.com/solo-io/gloo/projects/gateway2/wellknown" ) -//go:generate go run github.com/golang/mock/mockgen -destination mocks/mock_queries.go -package mocks github.com/solo-io/gloo/projects/gateway2/query GatewayQueries +//go:generate go run go.uber.org/mock/mockgen -destination mocks/mock_queries.go -package mocks github.com/solo-io/gloo/projects/gateway2/query GatewayQueries var _ = Describe("Query", func() { var ( diff --git a/projects/gateway2/translator/httproute/translate_httproute_test.go b/projects/gateway2/translator/httproute/translate_httproute_test.go index ca9ccd391f5..60fe99eaecd 100644 --- a/projects/gateway2/translator/httproute/translate_httproute_test.go +++ b/projects/gateway2/translator/httproute/translate_httproute_test.go @@ -3,9 +3,9 @@ package httproute_test import ( "context" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "go.uber.org/mock/gomock" "istio.io/istio/pkg/kube/krt" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" diff --git a/projects/gateway2/translator/listener/gateway_listener_translator.go b/projects/gateway2/translator/listener/gateway_listener_translator.go index 89adf43ecbb..214a275d755 100644 --- a/projects/gateway2/translator/listener/gateway_listener_translator.go +++ b/projects/gateway2/translator/listener/gateway_listener_translator.go @@ -569,7 +569,7 @@ func (ml *MergedListener) TranslateListener( // will use a Gloo AggregatedListener with one TCP filter chain. type tcpFilterChain struct { parents []tcpFilterChainParent - tls *gwv1.GatewayTLSConfig + tls *gwv1.ListenerTLSConfig sniDomain *gwv1.Hostname } @@ -732,7 +732,7 @@ func (httpFilterChain *httpFilterChain) translateHttpFilterChain( type httpsFilterChain struct { gatewayListenerName string sniDomain *gwv1.Hostname - tls *gwv1.GatewayTLSConfig + tls *gwv1.ListenerTLSConfig routesWithHosts []*query.RouteInfo queries query.GatewayQueries } @@ -848,7 +848,7 @@ func translateSslConfig( ctx context.Context, parentNamespace string, sniDomain *gwv1.Hostname, - tls *gwv1.GatewayTLSConfig, + tls *gwv1.ListenerTLSConfig, queries query.GatewayQueries, ) (*ssl.SslConfig, error) { if tls == nil { diff --git a/projects/gateway2/translator/listener/gateway_listener_translator_test.go b/projects/gateway2/translator/listener/gateway_listener_translator_test.go index f1ab93eab90..e7c5638ee66 100644 --- a/projects/gateway2/translator/listener/gateway_listener_translator_test.go +++ b/projects/gateway2/translator/listener/gateway_listener_translator_test.go @@ -3,9 +3,9 @@ package listener_test import ( "context" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "go.uber.org/mock/gomock" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" diff --git a/projects/gateway2/translator/listenerutils/utils.go b/projects/gateway2/translator/listenerutils/utils.go index e7ea83b1154..e1ed10e0172 100644 --- a/projects/gateway2/translator/listenerutils/utils.go +++ b/projects/gateway2/translator/listenerutils/utils.go @@ -18,7 +18,8 @@ func SetListenerSources(listener *v1.Listener, sources []*v1.SourceMetadata_Sour } } -func AppendSourceToListener(listener *v1.Listener, source client.Object) { +// AppendSourceToListener appends a source object to the Listener's static metadata +func AppendSourceToListener(listener *v1.Listener, source client.Object, resourceKind string) { meta := listener.GetMetadataStatic() if meta == nil { meta = &v1.SourceMetadata{} @@ -29,7 +30,7 @@ func AppendSourceToListener(listener *v1.Listener, source client.Object) { Name: source.GetName(), Namespace: source.GetNamespace(), }, - ResourceKind: source.GetObjectKind().GroupVersionKind().Kind, + ResourceKind: resourceKind, ObservedGeneration: source.GetGeneration(), }) listener.OpaqueMetadata = &v1.Listener_MetadataStatic{ diff --git a/projects/gateway2/translator/plugins/listeneroptions/listener_options_plugin.go b/projects/gateway2/translator/plugins/listeneroptions/listener_options_plugin.go index dab7e0b8d8e..3302f81b142 100644 --- a/projects/gateway2/translator/plugins/listeneroptions/listener_options_plugin.go +++ b/projects/gateway2/translator/plugins/listeneroptions/listener_options_plugin.go @@ -98,7 +98,7 @@ func (p *plugin) ApplyListenerPlugin( outListener.Options = optionUsed.Spec.GetOptions() } - listenerutils.AppendSourceToListener(outListener, optionUsed) + listenerutils.AppendSourceToListener(outListener, optionUsed, sologatewayv1.ListenerOptionGVK.Kind) nn := client.ObjectKeyFromObject(optionUsed) p.legacyStatusCache[nn] = newLegacyStatus() diff --git a/projects/gateway2/translator/plugins/mirror/mirror_plugin_test.go b/projects/gateway2/translator/plugins/mirror/mirror_plugin_test.go index 72bfc27b0bc..f627b069232 100644 --- a/projects/gateway2/translator/plugins/mirror/mirror_plugin_test.go +++ b/projects/gateway2/translator/plugins/mirror/mirror_plugin_test.go @@ -4,13 +4,13 @@ import ( "context" "testing" - "github.com/golang/mock/gomock" "github.com/onsi/gomega" "github.com/solo-io/gloo/projects/gateway2/query/mocks" "github.com/solo-io/gloo/projects/gateway2/translator/plugins" "github.com/solo-io/gloo/projects/gateway2/translator/plugins/mirror" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" gloov1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/apis/gloo.solo.io/v1" + "go.uber.org/mock/gomock" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" diff --git a/projects/gateway2/translator/plugins/routeoptions/query/query.go b/projects/gateway2/translator/plugins/routeoptions/query/query.go index 2524eb5199d..1380bb46515 100644 --- a/projects/gateway2/translator/plugins/routeoptions/query/query.go +++ b/projects/gateway2/translator/plugins/routeoptions/query/query.go @@ -182,7 +182,7 @@ func routeOptionToSourceRef(opt *solokubev1.RouteOption) *gloov1.SourceMetadata_ Name: opt.GetName(), Namespace: opt.GetNamespace(), }, - ResourceKind: opt.GetObjectKind().GroupVersionKind().Kind, + ResourceKind: routeOptionGK.Kind, ObservedGeneration: opt.GetGeneration(), } } diff --git a/projects/gateway2/translator/plugins/virtualhostoptions/virtualhost_options_plugin.go b/projects/gateway2/translator/plugins/virtualhostoptions/virtualhost_options_plugin.go index c729a5aeb8a..1c6e0ef7f98 100644 --- a/projects/gateway2/translator/plugins/virtualhostoptions/virtualhost_options_plugin.go +++ b/projects/gateway2/translator/plugins/virtualhostoptions/virtualhost_options_plugin.go @@ -141,7 +141,7 @@ func (p *plugin) ApplyListenerPlugin( v.Options = merged.Spec.GetOptions() vhostutils.AppendSourceToVirtualHost(v, opt) } - listenerutils.AppendSourceToListener(outListener, opt) + listenerutils.AppendSourceToListener(outListener, opt, sologatewayv1.VirtualHostOptionGVK.Kind) // track that we used this VirtualHostOption in our status cache // we do this so we can persist status later for all attached VirtualHostOptions diff --git a/projects/gateway2/translator/sslutils/ssl_utils.go b/projects/gateway2/translator/sslutils/ssl_utils.go index c6288cad95a..299e97b0ad2 100644 --- a/projects/gateway2/translator/sslutils/ssl_utils.go +++ b/projects/gateway2/translator/sslutils/ssl_utils.go @@ -162,10 +162,10 @@ var SslExtensionOptionFuncs = map[string]SslExtensionOptionFunc{ GatewaySslVerifySubjectAltName: ApplyVerifySubjectAltName, } -// ApplySslExtensionOptions applies the GatewayTLSConfig options to the SslConfig +// ApplySslExtensionOptions applies the ListenerTLSConfig options to the SslConfig // This function will never exit early, even if an error is encountered. // It will apply all options and log all errors encountered. -func ApplySslExtensionOptions(ctx context.Context, in *gwv1.GatewayTLSConfig, out *ssl.SslConfig) { +func ApplySslExtensionOptions(ctx context.Context, in *gwv1.ListenerTLSConfig, out *ssl.SslConfig) { var wrapped error for key, option := range in.Options { if extensionFunc, ok := SslExtensionOptionFuncs[string(key)]; ok { diff --git a/projects/gateway2/translator/sslutils/ssl_utils_test.go b/projects/gateway2/translator/sslutils/ssl_utils_test.go index b450001033b..15bd69955e6 100644 --- a/projects/gateway2/translator/sslutils/ssl_utils_test.go +++ b/projects/gateway2/translator/sslutils/ssl_utils_test.go @@ -20,7 +20,7 @@ func TestApplySslExtensionOptions(t *testing.T) { testCases := []struct { name string out *ssl.SslConfig - in *gwv1.GatewayTLSConfig + in *gwv1.ListenerTLSConfig errors []string }{ { @@ -28,7 +28,7 @@ func TestApplySslExtensionOptions(t *testing.T) { out: &ssl.SslConfig{ OneWayTls: wrapperspb.Bool(true), }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslOneWayTls: "true", }, @@ -39,7 +39,7 @@ func TestApplySslExtensionOptions(t *testing.T) { out: &ssl.SslConfig{ OneWayTls: wrapperspb.Bool(true), }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslOneWayTls: "True", }, @@ -50,7 +50,7 @@ func TestApplySslExtensionOptions(t *testing.T) { out: &ssl.SslConfig{ OneWayTls: wrapperspb.Bool(false), }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslOneWayTls: "false", }, @@ -61,7 +61,7 @@ func TestApplySslExtensionOptions(t *testing.T) { out: &ssl.SslConfig{ OneWayTls: wrapperspb.Bool(false), }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslOneWayTls: "False", }, @@ -70,7 +70,7 @@ func TestApplySslExtensionOptions(t *testing.T) { { name: "invalid_one_way_tls", out: &ssl.SslConfig{}, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslOneWayTls: "Foo", }, @@ -84,7 +84,7 @@ func TestApplySslExtensionOptions(t *testing.T) { CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}, }, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslCipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", }, @@ -97,7 +97,7 @@ func TestApplySslExtensionOptions(t *testing.T) { EcdhCurves: []string{"X25519MLKEM768", "X25519", "P-256"}, }, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslEcdhCurves: "X25519MLKEM768,X25519,P-256", }, @@ -108,7 +108,7 @@ func TestApplySslExtensionOptions(t *testing.T) { out: &ssl.SslConfig{ VerifySubjectAltName: []string{"foo", "bar"}, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslVerifySubjectAltName: "foo,bar", }, @@ -121,7 +121,7 @@ func TestApplySslExtensionOptions(t *testing.T) { MaximumProtocolVersion: ssl.SslParameters_TLSv1_2, }, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslMaximumTlsVersion: "TLSv1_2", }, @@ -134,7 +134,7 @@ func TestApplySslExtensionOptions(t *testing.T) { MinimumProtocolVersion: ssl.SslParameters_TLSv1_3, }, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslMinimumTlsVersion: "TLSv1_3", }, @@ -145,7 +145,7 @@ func TestApplySslExtensionOptions(t *testing.T) { out: &ssl.SslConfig{ Parameters: &ssl.SslParameters{}, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslMinimumTlsVersion: "TLSv1.3", GatewaySslMaximumTlsVersion: "TLSv1.2", @@ -162,7 +162,7 @@ func TestApplySslExtensionOptions(t *testing.T) { VerifySubjectAltName: []string{"foo", "bar"}, Parameters: &ssl.SslParameters{}, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslMinimumTlsVersion: "TLSv1_3", GatewaySslMaximumTlsVersion: "TLSv1_2", @@ -185,7 +185,7 @@ func TestApplySslExtensionOptions(t *testing.T) { EcdhCurves: []string{"X25519MLKEM768", "X25519", "P-256"}, }, }, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslMaximumTlsVersion: "TLSv1_3", GatewaySslMinimumTlsVersion: "TLSv1_2", @@ -199,7 +199,7 @@ func TestApplySslExtensionOptions(t *testing.T) { { name: "misspelled_option", out: &ssl.SslConfig{}, - in: &gwv1.GatewayTLSConfig{ + in: &gwv1.ListenerTLSConfig{ Options: map[gwv1.AnnotationKey]gwv1.AnnotationValue{ GatewaySslMinimumTlsVersion + "s": "TLSv1_3", }, diff --git a/projects/gateway2/translator/vhostutils/utils.go b/projects/gateway2/translator/vhostutils/utils.go index 8d7f6325b1c..15274372b98 100644 --- a/projects/gateway2/translator/vhostutils/utils.go +++ b/projects/gateway2/translator/vhostutils/utils.go @@ -1,11 +1,13 @@ package vhostutils import ( + sologatewayv1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" "sigs.k8s.io/controller-runtime/pkg/client" ) +// AppendSourceToVirtualHost appends a source VirtualHostOption to the VirtualHost's metadata static func AppendSourceToVirtualHost(vh *v1.VirtualHost, source client.Object) { meta := vh.GetMetadataStatic() if meta == nil { @@ -17,7 +19,7 @@ func AppendSourceToVirtualHost(vh *v1.VirtualHost, source client.Object) { Name: source.GetName(), Namespace: source.GetNamespace(), }, - ResourceKind: source.GetObjectKind().GroupVersionKind().Kind, + ResourceKind: sologatewayv1.VirtualHostOptionGVK.Kind, ObservedGeneration: source.GetGeneration(), }) vh.OpaqueMetadata = &v1.VirtualHost_MetadataStatic{ diff --git a/projects/gateway2/validation/validator_test.go b/projects/gateway2/validation/validator_test.go index 65013b2feb6..6d1876b3fc2 100644 --- a/projects/gateway2/validation/validator_test.go +++ b/projects/gateway2/validation/validator_test.go @@ -3,8 +3,8 @@ package validation_test import ( "context" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" + "go.uber.org/mock/gomock" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/wrapperspb" "k8s.io/client-go/kubernetes/fake" diff --git a/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto b/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto index 9537b66cb91..9ce71019035 100644 --- a/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto +++ b/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto @@ -61,6 +61,8 @@ message JWTPrincipal { BOOLEAN = 1; // The JWT claim value is a list that contains a string that exactly matches the value. LIST_CONTAINS = 2; + // The JWT claim value is a glob pattern that matches the value. + GLOB_MATCH = 3; } // The matcher to use when evaluating this principal. By default, exact string comparison (EXACT_STRING) is used. ClaimMatcher matcher = 3; diff --git a/projects/gloo/cli/pkg/cmd/add/root_test.go b/projects/gloo/cli/pkg/cmd/add/root_test.go index 4ec567c8bb4..d635169fc71 100644 --- a/projects/gloo/cli/pkg/cmd/add/root_test.go +++ b/projects/gloo/cli/pkg/cmd/add/root_test.go @@ -30,7 +30,6 @@ var _ = Describe("Root", func() { Expect(out).To(ContainSubstring(`apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: - creationTimestamp: null name: test namespace: gloo-system spec: diff --git a/projects/gloo/cli/pkg/cmd/create/output_format_test.go b/projects/gloo/cli/pkg/cmd/create/output_format_test.go index 29f2e8280b1..f7657a6e168 100644 --- a/projects/gloo/cli/pkg/cmd/create/output_format_test.go +++ b/projects/gloo/cli/pkg/cmd/create/output_format_test.go @@ -17,7 +17,6 @@ var _ = Describe("Upstream", func() { kubeYamlOutput := `apiVersion: gloo.solo.io/v1 kind: Upstream metadata: - creationTimestamp: null name: jsonplaceholder-80 namespace: gloo-system spec: diff --git a/projects/gloo/cli/pkg/cmd/create/secret/encryption_key_test.go b/projects/gloo/cli/pkg/cmd/create/secret/encryption_key_test.go index 584976c84ac..9af92ce1332 100644 --- a/projects/gloo/cli/pkg/cmd/create/secret/encryption_key_test.go +++ b/projects/gloo/cli/pkg/cmd/create/secret/encryption_key_test.go @@ -67,7 +67,6 @@ var _ = Describe("EncryptionKey", func() { Expect(out).To(ContainSubstring(`data: key: ` + encryptionKeyBase64 + ` metadata: - creationTimestamp: null name: ` + secretName + ` namespace: gloo-system type: gloo.solo.io.EncryptionKeySecret diff --git a/projects/gloo/cli/pkg/cmd/create/secret/extauth_apikey_test.go b/projects/gloo/cli/pkg/cmd/create/secret/extauth_apikey_test.go index 37895668717..0da2b61f84e 100644 --- a/projects/gloo/cli/pkg/cmd/create/secret/extauth_apikey_test.go +++ b/projects/gloo/cli/pkg/cmd/create/secret/extauth_apikey_test.go @@ -77,7 +77,6 @@ var _ = Describe("ExtauthApiKey", func() { Expect(err).NotTo(HaveOccurred()) fmt.Print(out) Expect(out).To(ContainSubstring(`metadata: - creationTimestamp: null labels: k1: v1 k2: v2 diff --git a/projects/gloo/cli/pkg/cmd/create/secret/extauth_oauth_test.go b/projects/gloo/cli/pkg/cmd/create/secret/extauth_oauth_test.go index 5927d98f036..aa39768dccb 100644 --- a/projects/gloo/cli/pkg/cmd/create/secret/extauth_oauth_test.go +++ b/projects/gloo/cli/pkg/cmd/create/secret/extauth_oauth_test.go @@ -59,7 +59,6 @@ var _ = Describe("ExtauthOauth", func() { Expect(out).To(ContainSubstring(`data: client-secret: MTIz metadata: - creationTimestamp: null name: oauth namespace: gloo-system type: extauth.solo.io/oauth diff --git a/projects/gloo/cli/pkg/cmd/create/secret/secret_test.go b/projects/gloo/cli/pkg/cmd/create/secret/secret_test.go index d4f20f7b68e..68042d26c1c 100644 --- a/projects/gloo/cli/pkg/cmd/create/secret/secret_test.go +++ b/projects/gloo/cli/pkg/cmd/create/secret/secret_test.go @@ -75,7 +75,6 @@ var _ = Describe("Secret", func() { aws_access_key_id: Zm9v aws_secret_access_key: YmFy metadata: - creationTimestamp: null name: test namespace: gloo-system type: Opaque @@ -90,7 +89,6 @@ type: Opaque aws_secret_access_key: YmFy aws_session_token: d2F6 metadata: - creationTimestamp: null name: test namespace: gloo-system type: Opaque @@ -141,7 +139,6 @@ type: Opaque metadata: annotations: resource_kind: '*v1.Secret' - creationTimestamp: null name: test namespace: gloo-system `)) @@ -267,7 +264,6 @@ metadata: tls.key: Ci0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLQpNSUlFdmdJQkFEQU5CZ2txaGtpRzl3MEJBUUVGQUFTQ0JLZ3dnZ1NrQWdFQUFvSUJBUURLdGZzRC9scS9odEd1CjI4aXZ6THp6bVplOGZPaXFCbjJlTlVqOFFWT2xITG5heFRadnJxbGtUQW5Qc0R2ZEhDU1RRclpER0k1YW0xL2MKdE1Lb2REYmZseWJnc2tLdlp2RGk2QkYxdzFzYloza1BHWkV0MEVueWtvaUtEdmMrK1h1aU5Vdk1RRzAyQjAzdgo0aXVyckxhNlRMYXBCOE5XdG1SSjNuL1BiYTUwMHp1K3VERjZXRmtOVEVhd3p1TU1sN2pMWDVnbWtEUWVCVnZYCjEySVJZMEUxenlxN29UTnhzeXBweHZrbmhBVktkTFlzS1JWQ3R3cnVDMEFDamR3WWdxNDdObjFTN2Q3YjdNOFQKY1JrY3NIcXB5NGZVdnNraTF5a2ZYNDVrdDNRY0g4WEVwQ0xQQTZCNzQvMVlEQUdLZmRmQktUc1piZXVVdDVRMwp2OHUyL1ZKREFnTUJBQUVDZ2dFQkFMVmIvMHBoWkx0NldWdENFOWtGS2dBZjZKdWdmV0N4RWU1YjZnS1dSOG12Clc3Q1pSTXpDelphSVdUYlJpNTJWTWp2Mk1hN3g1MXExTEIwQU5EQVdXWW5OWitFY1c0RW1ibG4wR3Jycm56VnoKYStIUWxBMFREelhSV0F0OHZFUkJYUldRN1ZHK1NuZE9MYkp5L1hOSXdPc0krMXRiTUs4QjI5UWpGdUowVk9MNwpDVW9HMS8wQlh3NnNsb2g5VWNvcU00blZjTmFxb2N0aTRLN2QzWjAvVDF6Snp4Nm80bzg5RHFCUm56VGowYjlPCmdlK3NScUdGeEVlanIyaHFNSjBqRjVCUFlVT3l0LzRrejFnSmNSc3QwTkk5ZHR0d1RQV1dvZHUyYTNlUVQxU0YKR21ZYUpwWlFBaGtuUTZMYkZNSWRHeExVanQ5RWowRC9ZUmpBdmpyczVTRUNnWUVBOG81TUpvcThnSU1iWUZ1UwpVcFI5L3FoT2gxRWFSMUQ2U0VLQnBTdHZWWGtSUjBKSFU3N2g1Z21aWk5qemVvR3pSNXJPTjVpcTJrdUtOb21XCmp0NFM2QmRFUG9SK0txeHUvNTV1VmhtZHJTbVAvdE1YTjBYVFFhNjNIc2NtV1VzYWRCbS9FMXhBYWl2WUc3VzkKR3l6c1ZXK0hBcG02bVRtTDJTK1lRMWFCMWVzQ2dZRUExZkpQVGlGaWZqQXVoUEtPTEhRWjZXbWdkQVdOQXNEaQpuSW9NOUJTYXhaWU5vN28ybmVzMkZJYTg4aElBdGx5Q3pMTU5JOHI3eGtEM1hKRXNXb2UrVlgxZ2JlVGpBUnBtClc2eUxNa1l2UXNGNlVydDRKdzFtMittQ2JiaC9hTmZkYUwzSHJIZXZVOG1NVWFQOWlSZWtYWU5oMjRDYU5LK3YKdDJZUnVXc0NKd2tDZ1lCZ1ArTXI4Q1c1QVUyZHdQaWhXRmRlOUQ2bEo2Tzc1UUJNS0VmMTJQU0hBRkhBNnlZTwpyMUpJekVwWVlGYk5xQ1lTSmZYcXplUU9WNmR5Mk1vcnl5ZkpmV0lSUk5ZajdPVG0vbUZlUFMvNmhPR2xCdkxSCmRoM01sSjRKMHBEL0lmUlBXZUFldUo2L0FzTHd5LzlNaDFrSTFnYkhHMldXWStXQXU0ZzZRRnVwSFFLQmdRQ0sKT0RXTUlIMWxVUE44Nk1kNWFMaWsxNXpWMkJBMXl5K2NPb1FMM0pQeE92UXM1czBLVVQ5ckczRk9ZdHNhOWNGNwpSZUlqVWF3L2RSRmFPR0FUVE1kbXE4MTBzZjhHWTJ2bHBoOTNwMmc1Rkk1V2pNOGZTOFU4Sml3aGZxU3hzMlJUCm11ZzVRRW1CTkNEM1RaOHF4cDlsMnMrSjVCZThHaFRIdzZXSHlONW5JUUtCZ0hzZUtBWU5IMFNLTVRCbUQ5dEMKK0RNaHc2WXB4ZTRWc0RCRm9EcjFXeHB0NlNtclpjeTdKY0JPL2ptWFkveHdzbkd5ZWhkYnBzTXhYMDNjN1FTZgpBbW9KQ2dPdG0wRlVYYytleWJGemdqTTlkdkIvWmFLUms3THRBMktKakZ0TVBHd0ttTHdqQzQrY0Q4eEw1N0VqClpFaGpmZXl1Y2Q0OE0rSk5ieU11RTJaQwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== tls.ocsp-staple: Ck9DU1AgUmVzcG9uc2UgRGF0YToKCU9DU1AgUmVzcG9uc2UgU3RhdHVzOiBzdWNjZXNzZnVsICgweDApCglSZXNwb25zZSBUeXBlOiBCYXNpYyBPQ1NQIFJlc3BvbnNlCglWZXJzaW9uOiAxICgweDApCglSZXNwb25kZXIgSWQ6IENOPXBldHN0b3JlLmV4YW1wbGUuY29tCglQcm9kdWNlZCBBdDogQXByICAyMCAwOjA6MCAyMDIzIEVTVAoJUmVzcG9uc2VzOgoJQ2VydGlmaWNhdGUgSUQ6CglIYXNoIEFsZ29yaXRobTogc2hhMQoJCUlzc3VlciBOYW1lIEhhc2g6IHRlc3QKCQlJc3N1ZXIgS2V5IEhhc2g6IHRlc3QKCQlTZXJpYWwgTnVtYmVyOiAxMjM0CglDZXJ0IFN0YXR1czogZ29vZAoJVGhpcyBVcGRhdGU6IEFwciAgNCAxOToyODo0NiAyMDE5IEdNVAoKCVNpZ25hdHVyZSBBbGdvcml0aG06IHNoYTI1NldpdGhSU0FFbmNyeXB0aW9uCgkJdGVzdAo= metadata: - creationTimestamp: null name: test namespace: gloo-system type: kubernetes.io/tls diff --git a/projects/gloo/cli/pkg/cmd/create/upstream_test.go b/projects/gloo/cli/pkg/cmd/create/upstream_test.go index c12a2937990..d6dd0143c48 100644 --- a/projects/gloo/cli/pkg/cmd/create/upstream_test.go +++ b/projects/gloo/cli/pkg/cmd/create/upstream_test.go @@ -252,7 +252,6 @@ var _ = Describe("Upstream", func() { Expect(out).To(ContainSubstring(`apiVersion: gloo.solo.io/v1 kind: Upstream metadata: - creationTimestamp: null name: kube-upstream namespace: gloo-system spec: diff --git a/projects/gloo/cli/pkg/cmd/create/upstreamgroup_test.go b/projects/gloo/cli/pkg/cmd/create/upstreamgroup_test.go index 063b17213ff..af5fa82b550 100644 --- a/projects/gloo/cli/pkg/cmd/create/upstreamgroup_test.go +++ b/projects/gloo/cli/pkg/cmd/create/upstreamgroup_test.go @@ -134,7 +134,6 @@ var _ = Describe("UpstreamGroup", func() { Expect(out).To(ContainSubstring(`apiVersion: gloo.solo.io/v1 kind: UpstreamGroup metadata: - creationTimestamp: null name: test namespace: gloo-system spec: diff --git a/projects/gloo/cli/pkg/cmd/create/virtualservice_glooe_test.go b/projects/gloo/cli/pkg/cmd/create/virtualservice_glooe_test.go index 1cc57adf22a..1e25f93ed07 100644 --- a/projects/gloo/cli/pkg/cmd/create/virtualservice_glooe_test.go +++ b/projects/gloo/cli/pkg/cmd/create/virtualservice_glooe_test.go @@ -91,7 +91,6 @@ var _ = Describe("VirtualService", func() { Expect(out).To(ContainSubstring(`apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: - creationTimestamp: null name: vs namespace: gloo-system spec: diff --git a/projects/gloo/cli/pkg/cmd/create/virtualservice_test.go b/projects/gloo/cli/pkg/cmd/create/virtualservice_test.go index f7ebfb9fb24..f36575598fd 100644 --- a/projects/gloo/cli/pkg/cmd/create/virtualservice_test.go +++ b/projects/gloo/cli/pkg/cmd/create/virtualservice_test.go @@ -23,7 +23,6 @@ var _ = Describe("Virtualservice", func() { Expect(out).To(ContainSubstring(`apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: - creationTimestamp: null name: vs namespace: gloo-system spec: diff --git a/projects/gloo/cli/pkg/cmd/gatewayapi/convert/convert.go b/projects/gloo/cli/pkg/cmd/gatewayapi/convert/convert.go index f873406bcc3..df682bd0a91 100644 --- a/projects/gloo/cli/pkg/cmd/gatewayapi/convert/convert.go +++ b/projects/gloo/cli/pkg/cmd/gatewayapi/convert/convert.go @@ -200,8 +200,8 @@ func (o *GatewayAPIOutput) convertVirtualServiceListener(vs *snapshot.VirtualSer return nil } -func (o *GatewayAPIOutput) generateTLSConfiguration(vs *snapshot.VirtualServiceWrapper) *gwv1.GatewayTLSConfig { - tlsConfig := &gwv1.GatewayTLSConfig{ +func (o *GatewayAPIOutput) generateTLSConfiguration(vs *snapshot.VirtualServiceWrapper) *gwv1.ListenerTLSConfig { + tlsConfig := &gwv1.ListenerTLSConfig{ Mode: ptr.To(gwv1.TLSModeTerminate), //FrontendValidation: nil, // TODO do we need to set this? //Options: nil, // TODO do we need to set this? diff --git a/projects/gloo/cli/pkg/cmd/get/output_format_test.go b/projects/gloo/cli/pkg/cmd/get/output_format_test.go index 301634642eb..75bffc81210 100644 --- a/projects/gloo/cli/pkg/cmd/get/output_format_test.go +++ b/projects/gloo/cli/pkg/cmd/get/output_format_test.go @@ -54,7 +54,6 @@ var _ = Describe("Upstream", func() { kubeYamlOutput := `apiVersion: gloo.solo.io/v1 kind: Upstream metadata: - creationTimestamp: null name: jsonplaceholder-80 namespace: gloo-system resourceVersion: "2" diff --git a/projects/gloo/cli/pkg/cmd/install/installer_test.go b/projects/gloo/cli/pkg/cmd/install/installer_test.go index b20d1f7e102..d0de57be4b1 100644 --- a/projects/gloo/cli/pkg/cmd/install/installer_test.go +++ b/projects/gloo/cli/pkg/cmd/install/installer_test.go @@ -8,7 +8,6 @@ import ( "k8s.io/client-go/kubernetes/fake" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/solo-io/gloo/pkg/version" @@ -17,6 +16,7 @@ import ( "github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/options" "github.com/solo-io/gloo/projects/gloo/cli/pkg/constants" "github.com/solo-io/gloo/projects/gloo/pkg/defaults" + "go.uber.org/mock/gomock" helmchart "helm.sh/helm/v3/pkg/chart" "helm.sh/helm/v3/pkg/cli" "helm.sh/helm/v3/pkg/release" diff --git a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_client.go b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_client.go index 753ee7cea1e..126717828c7 100644 --- a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_client.go +++ b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_client.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install (interfaces: HelmClient) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_helm_client.go -package mocks github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install HelmClient +// // Package mocks is a generated GoMock package. package mocks @@ -7,8 +12,8 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" install "github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install" + gomock "go.uber.org/mock/gomock" chart "helm.sh/helm/v3/pkg/chart" cli "helm.sh/helm/v3/pkg/cli" ) @@ -17,6 +22,7 @@ import ( type MockHelmClient struct { ctrl *gomock.Controller recorder *MockHelmClientMockRecorder + isgomock struct{} } // MockHelmClientMockRecorder is the mock recorder for MockHelmClient. @@ -37,24 +43,24 @@ func (m *MockHelmClient) EXPECT() *MockHelmClientMockRecorder { } // DownloadChart mocks base method. -func (m *MockHelmClient) DownloadChart(arg0 string) (*chart.Chart, error) { +func (m *MockHelmClient) DownloadChart(chartArchiveUri string) (*chart.Chart, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DownloadChart", arg0) + ret := m.ctrl.Call(m, "DownloadChart", chartArchiveUri) ret0, _ := ret[0].(*chart.Chart) ret1, _ := ret[1].(error) return ret0, ret1 } // DownloadChart indicates an expected call of DownloadChart. -func (mr *MockHelmClientMockRecorder) DownloadChart(arg0 interface{}) *gomock.Call { +func (mr *MockHelmClientMockRecorder) DownloadChart(chartArchiveUri any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DownloadChart", reflect.TypeOf((*MockHelmClient)(nil).DownloadChart), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DownloadChart", reflect.TypeOf((*MockHelmClient)(nil).DownloadChart), chartArchiveUri) } // NewInstall mocks base method. -func (m *MockHelmClient) NewInstall(arg0, arg1 string, arg2 bool, arg3 string) (install.HelmInstallation, *cli.EnvSettings, error) { +func (m *MockHelmClient) NewInstall(namespace, releaseName string, dryRun bool, context string) (install.HelmInstallation, *cli.EnvSettings, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NewInstall", arg0, arg1, arg2, arg3) + ret := m.ctrl.Call(m, "NewInstall", namespace, releaseName, dryRun, context) ret0, _ := ret[0].(install.HelmInstallation) ret1, _ := ret[1].(*cli.EnvSettings) ret2, _ := ret[2].(error) @@ -62,52 +68,52 @@ func (m *MockHelmClient) NewInstall(arg0, arg1 string, arg2 bool, arg3 string) ( } // NewInstall indicates an expected call of NewInstall. -func (mr *MockHelmClientMockRecorder) NewInstall(arg0, arg1, arg2, arg3 interface{}) *gomock.Call { +func (mr *MockHelmClientMockRecorder) NewInstall(namespace, releaseName, dryRun, context any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewInstall", reflect.TypeOf((*MockHelmClient)(nil).NewInstall), arg0, arg1, arg2, arg3) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewInstall", reflect.TypeOf((*MockHelmClient)(nil).NewInstall), namespace, releaseName, dryRun, context) } // NewUninstall mocks base method. -func (m *MockHelmClient) NewUninstall(arg0 string) (install.HelmUninstallation, error) { +func (m *MockHelmClient) NewUninstall(namespace string) (install.HelmUninstallation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NewUninstall", arg0) + ret := m.ctrl.Call(m, "NewUninstall", namespace) ret0, _ := ret[0].(install.HelmUninstallation) ret1, _ := ret[1].(error) return ret0, ret1 } // NewUninstall indicates an expected call of NewUninstall. -func (mr *MockHelmClientMockRecorder) NewUninstall(arg0 interface{}) *gomock.Call { +func (mr *MockHelmClientMockRecorder) NewUninstall(namespace any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewUninstall", reflect.TypeOf((*MockHelmClient)(nil).NewUninstall), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewUninstall", reflect.TypeOf((*MockHelmClient)(nil).NewUninstall), namespace) } // ReleaseExists mocks base method. -func (m *MockHelmClient) ReleaseExists(arg0, arg1 string) (bool, error) { +func (m *MockHelmClient) ReleaseExists(namespace, releaseName string) (bool, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ReleaseExists", arg0, arg1) + ret := m.ctrl.Call(m, "ReleaseExists", namespace, releaseName) ret0, _ := ret[0].(bool) ret1, _ := ret[1].(error) return ret0, ret1 } // ReleaseExists indicates an expected call of ReleaseExists. -func (mr *MockHelmClientMockRecorder) ReleaseExists(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockHelmClientMockRecorder) ReleaseExists(namespace, releaseName any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReleaseExists", reflect.TypeOf((*MockHelmClient)(nil).ReleaseExists), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReleaseExists", reflect.TypeOf((*MockHelmClient)(nil).ReleaseExists), namespace, releaseName) } // ReleaseList mocks base method. -func (m *MockHelmClient) ReleaseList(arg0 string) (install.HelmReleaseListRunner, error) { +func (m *MockHelmClient) ReleaseList(namespace string) (install.HelmReleaseListRunner, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ReleaseList", arg0) + ret := m.ctrl.Call(m, "ReleaseList", namespace) ret0, _ := ret[0].(install.HelmReleaseListRunner) ret1, _ := ret[1].(error) return ret0, ret1 } // ReleaseList indicates an expected call of ReleaseList. -func (mr *MockHelmClientMockRecorder) ReleaseList(arg0 interface{}) *gomock.Call { +func (mr *MockHelmClientMockRecorder) ReleaseList(namespace any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReleaseList", reflect.TypeOf((*MockHelmClient)(nil).ReleaseList), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReleaseList", reflect.TypeOf((*MockHelmClient)(nil).ReleaseList), namespace) } diff --git a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_installation.go b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_installation.go index dd79ce0ed0f..0b6d4b78e9a 100644 --- a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_installation.go +++ b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_installation.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install (interfaces: HelmInstallation) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_helm_installation.go -package mocks github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install HelmInstallation +// // Package mocks is a generated GoMock package. package mocks @@ -7,7 +12,7 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" chart "helm.sh/helm/v3/pkg/chart" release "helm.sh/helm/v3/pkg/release" ) @@ -16,6 +21,7 @@ import ( type MockHelmInstallation struct { ctrl *gomock.Controller recorder *MockHelmInstallationMockRecorder + isgomock struct{} } // MockHelmInstallationMockRecorder is the mock recorder for MockHelmInstallation. @@ -36,16 +42,16 @@ func (m *MockHelmInstallation) EXPECT() *MockHelmInstallationMockRecorder { } // Run mocks base method. -func (m *MockHelmInstallation) Run(arg0 *chart.Chart, arg1 map[string]interface{}) (*release.Release, error) { +func (m *MockHelmInstallation) Run(chrt *chart.Chart, vals map[string]any) (*release.Release, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Run", arg0, arg1) + ret := m.ctrl.Call(m, "Run", chrt, vals) ret0, _ := ret[0].(*release.Release) ret1, _ := ret[1].(error) return ret0, ret1 } // Run indicates an expected call of Run. -func (mr *MockHelmInstallationMockRecorder) Run(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockHelmInstallationMockRecorder) Run(chrt, vals any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockHelmInstallation)(nil).Run), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockHelmInstallation)(nil).Run), chrt, vals) } diff --git a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_release_list.go b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_release_list.go index ce0aaa15322..81ed6cf3bc8 100644 --- a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_release_list.go +++ b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_release_list.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install (interfaces: HelmReleaseListRunner) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_helm_release_list.go -package mocks github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install HelmReleaseListRunner +// // Package mocks is a generated GoMock package. package mocks @@ -7,7 +12,7 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" release "helm.sh/helm/v3/pkg/release" ) @@ -15,6 +20,7 @@ import ( type MockHelmReleaseListRunner struct { ctrl *gomock.Controller recorder *MockHelmReleaseListRunnerMockRecorder + isgomock struct{} } // MockHelmReleaseListRunnerMockRecorder is the mock recorder for MockHelmReleaseListRunner. @@ -50,13 +56,13 @@ func (mr *MockHelmReleaseListRunnerMockRecorder) Run() *gomock.Call { } // SetFilter mocks base method. -func (m *MockHelmReleaseListRunner) SetFilter(arg0 string) { +func (m *MockHelmReleaseListRunner) SetFilter(filter string) { m.ctrl.T.Helper() - m.ctrl.Call(m, "SetFilter", arg0) + m.ctrl.Call(m, "SetFilter", filter) } // SetFilter indicates an expected call of SetFilter. -func (mr *MockHelmReleaseListRunnerMockRecorder) SetFilter(arg0 interface{}) *gomock.Call { +func (mr *MockHelmReleaseListRunnerMockRecorder) SetFilter(filter any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFilter", reflect.TypeOf((*MockHelmReleaseListRunner)(nil).SetFilter), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFilter", reflect.TypeOf((*MockHelmReleaseListRunner)(nil).SetFilter), filter) } diff --git a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_uninstallation.go b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_uninstallation.go index 3f4d94ea5a4..55f37741ef5 100644 --- a/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_uninstallation.go +++ b/projects/gloo/cli/pkg/cmd/install/mocks/mock_helm_uninstallation.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install (interfaces: HelmUninstallation) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_helm_uninstallation.go -package mocks github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install HelmUninstallation +// // Package mocks is a generated GoMock package. package mocks @@ -7,7 +12,7 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" release "helm.sh/helm/v3/pkg/release" ) @@ -15,6 +20,7 @@ import ( type MockHelmUninstallation struct { ctrl *gomock.Controller recorder *MockHelmUninstallationMockRecorder + isgomock struct{} } // MockHelmUninstallationMockRecorder is the mock recorder for MockHelmUninstallation. @@ -35,16 +41,16 @@ func (m *MockHelmUninstallation) EXPECT() *MockHelmUninstallationMockRecorder { } // Run mocks base method. -func (m *MockHelmUninstallation) Run(arg0 string) (*release.UninstallReleaseResponse, error) { +func (m *MockHelmUninstallation) Run(name string) (*release.UninstallReleaseResponse, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Run", arg0) + ret := m.ctrl.Call(m, "Run", name) ret0, _ := ret[0].(*release.UninstallReleaseResponse) ret1, _ := ret[1].(error) return ret0, ret1 } // Run indicates an expected call of Run. -func (mr *MockHelmUninstallationMockRecorder) Run(arg0 interface{}) *gomock.Call { +func (mr *MockHelmUninstallationMockRecorder) Run(name any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockHelmUninstallation)(nil).Run), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockHelmUninstallation)(nil).Run), name) } diff --git a/projects/gloo/cli/pkg/cmd/install/uninstall_test.go b/projects/gloo/cli/pkg/cmd/install/uninstall_test.go index 28be10be0bb..aa54513ab0f 100644 --- a/projects/gloo/cli/pkg/cmd/install/uninstall_test.go +++ b/projects/gloo/cli/pkg/cmd/install/uninstall_test.go @@ -6,7 +6,6 @@ import ( "fmt" "strings" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/solo-io/gloo/pkg/cliutil/testutil" @@ -15,6 +14,7 @@ import ( "github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/options" "github.com/solo-io/gloo/projects/gloo/cli/pkg/constants" "github.com/solo-io/gloo/projects/gloo/pkg/defaults" + "go.uber.org/mock/gomock" "helm.sh/helm/v3/pkg/chart" "helm.sh/helm/v3/pkg/release" ) diff --git a/projects/gloo/cli/pkg/cmd/version/mocks/mock_watcher.go b/projects/gloo/cli/pkg/cmd/version/mocks/mock_watcher.go index 9a16e7056b4..199861e58db 100644 --- a/projects/gloo/cli/pkg/cmd/version/mocks/mock_watcher.go +++ b/projects/gloo/cli/pkg/cmd/version/mocks/mock_watcher.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: clients.go +// +// Generated by this command: +// +// mockgen -destination ./mocks/mock_watcher.go -source clients.go +// // Package mock_version is a generated GoMock package. package mock_version @@ -8,14 +13,15 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" version "github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/version" + gomock "go.uber.org/mock/gomock" ) // MockServerVersion is a mock of ServerVersion interface. type MockServerVersion struct { ctrl *gomock.Controller recorder *MockServerVersionMockRecorder + isgomock struct{} } // MockServerVersionMockRecorder is the mock recorder for MockServerVersion. @@ -45,7 +51,7 @@ func (m *MockServerVersion) Get(ctx context.Context) ([]*version.ServerVersion, } // Get indicates an expected call of Get. -func (mr *MockServerVersionMockRecorder) Get(ctx interface{}) *gomock.Call { +func (mr *MockServerVersionMockRecorder) Get(ctx any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockServerVersion)(nil).Get), ctx) } diff --git a/projects/gloo/cli/pkg/cmd/version/version_test.go b/projects/gloo/cli/pkg/cmd/version/version_test.go index 4d87f93c457..8f333966cfb 100644 --- a/projects/gloo/cli/pkg/cmd/version/version_test.go +++ b/projects/gloo/cli/pkg/cmd/version/version_test.go @@ -5,7 +5,6 @@ import ( "context" "fmt" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/rotisserie/eris" @@ -14,6 +13,7 @@ import ( mock_version "github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/version/mocks" "github.com/solo-io/gloo/projects/gloo/cli/pkg/printers" "github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/version" + "go.uber.org/mock/gomock" ) var _ = Describe("version command", func() { diff --git a/projects/gloo/pkg/api/v1/enterprise/options/rbac/rbac.pb.go b/projects/gloo/pkg/api/v1/enterprise/options/rbac/rbac.pb.go index 7b42cc587a0..d8e0e7c6a72 100644 --- a/projects/gloo/pkg/api/v1/enterprise/options/rbac/rbac.pb.go +++ b/projects/gloo/pkg/api/v1/enterprise/options/rbac/rbac.pb.go @@ -33,6 +33,8 @@ const ( JWTPrincipal_BOOLEAN JWTPrincipal_ClaimMatcher = 1 // The JWT claim value is a list that contains a string that exactly matches the value. JWTPrincipal_LIST_CONTAINS JWTPrincipal_ClaimMatcher = 2 + // The JWT claim value is a glob pattern that matches the value. + JWTPrincipal_GLOB_MATCH JWTPrincipal_ClaimMatcher = 3 ) // Enum value maps for JWTPrincipal_ClaimMatcher. @@ -41,11 +43,13 @@ var ( 0: "EXACT_STRING", 1: "BOOLEAN", 2: "LIST_CONTAINS", + 3: "GLOB_MATCH", } JWTPrincipal_ClaimMatcher_value = map[string]int32{ "EXACT_STRING": 0, "BOOLEAN": 1, "LIST_CONTAINS": 2, + "GLOB_MATCH": 3, } ) @@ -432,18 +436,20 @@ const file_github_com_solo_io_gloo_projects_gloo_api_v1_enterprise_options_rbac_ "\vpermissions\x18\x02 \x01(\v2&.rbac.options.gloo.solo.io.PermissionsR\vpermissions\x124\n" + "\x16nested_claim_delimiter\x18\x03 \x01(\tR\x14nestedClaimDelimiter\"Y\n" + "\tPrincipal\x12L\n" + - "\rjwt_principal\x18\x01 \x01(\v2'.rbac.options.gloo.solo.io.JWTPrincipalR\fjwtPrincipal\"\xc4\x02\n" + + "\rjwt_principal\x18\x01 \x01(\v2'.rbac.options.gloo.solo.io.JWTPrincipalR\fjwtPrincipal\"\xd4\x02\n" + "\fJWTPrincipal\x12K\n" + "\x06claims\x18\x01 \x03(\v23.rbac.options.gloo.solo.io.JWTPrincipal.ClaimsEntryR\x06claims\x12\x1a\n" + "\bprovider\x18\x02 \x01(\tR\bprovider\x12N\n" + "\amatcher\x18\x03 \x01(\x0e24.rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcherR\amatcher\x1a9\n" + "\vClaimsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"@\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"P\n" + "\fClaimMatcher\x12\x10\n" + "\fEXACT_STRING\x10\x00\x12\v\n" + "\aBOOLEAN\x10\x01\x12\x11\n" + - "\rLIST_CONTAINS\x10\x02\"H\n" + + "\rLIST_CONTAINS\x10\x02\x12\x0e\n" + + "\n" + + "GLOB_MATCH\x10\x03\"H\n" + "\vPermissions\x12\x1f\n" + "\vpath_prefix\x18\x01 \x01(\tR\n" + "pathPrefix\x12\x18\n" + diff --git a/projects/gloo/pkg/bootstrap/clients/vault/auth_test.go b/projects/gloo/pkg/bootstrap/clients/vault/auth_test.go index 14ef949a7a4..5898ac9328a 100644 --- a/projects/gloo/pkg/bootstrap/clients/vault/auth_test.go +++ b/projects/gloo/pkg/bootstrap/clients/vault/auth_test.go @@ -6,7 +6,6 @@ import ( "time" "github.com/avast/retry-go" - "github.com/golang/mock/gomock" "github.com/hashicorp/vault/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -14,6 +13,7 @@ import ( "github.com/rotisserie/eris" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" . "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap/clients/vault" + "go.uber.org/mock/gomock" "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap/clients/vault/mocks" "github.com/solo-io/gloo/test/gomega/assertions" diff --git a/projects/gloo/pkg/bootstrap/clients/vault/client_test.go b/projects/gloo/pkg/bootstrap/clients/vault/client_test.go index 77f13470f36..54203c9c74f 100644 --- a/projects/gloo/pkg/bootstrap/clients/vault/client_test.go +++ b/projects/gloo/pkg/bootstrap/clients/vault/client_test.go @@ -5,13 +5,13 @@ import ( "time" "github.com/avast/retry-go" - "github.com/golang/mock/gomock" vaultapi "github.com/hashicorp/vault/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/rotisserie/eris" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" . "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap/clients/vault" + "go.uber.org/mock/gomock" "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap/clients/vault/mocks" "github.com/solo-io/gloo/test/gomega/assertions" diff --git a/projects/gloo/pkg/bootstrap/clients/vault/mocks/mock_auth.go b/projects/gloo/pkg/bootstrap/clients/vault/mocks/mock_auth.go index 8ade01d7e97..90905544cbb 100644 --- a/projects/gloo/pkg/bootstrap/clients/vault/mocks/mock_auth.go +++ b/projects/gloo/pkg/bootstrap/clients/vault/mocks/mock_auth.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/hashicorp/vault/api (interfaces: AuthMethod) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_auth.go -package mocks github.com/hashicorp/vault/api AuthMethod +// // Package mocks is a generated GoMock package. package mocks @@ -8,14 +13,15 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" api "github.com/hashicorp/vault/api" + gomock "go.uber.org/mock/gomock" ) // MockAuthMethod is a mock of AuthMethod interface. type MockAuthMethod struct { ctrl *gomock.Controller recorder *MockAuthMethodMockRecorder + isgomock struct{} } // MockAuthMethodMockRecorder is the mock recorder for MockAuthMethod. @@ -36,16 +42,16 @@ func (m *MockAuthMethod) EXPECT() *MockAuthMethodMockRecorder { } // Login mocks base method. -func (m *MockAuthMethod) Login(arg0 context.Context, arg1 *api.Client) (*api.Secret, error) { +func (m *MockAuthMethod) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Login", arg0, arg1) + ret := m.ctrl.Call(m, "Login", ctx, client) ret0, _ := ret[0].(*api.Secret) ret1, _ := ret[1].(error) return ret0, ret1 } // Login indicates an expected call of Login. -func (mr *MockAuthMethodMockRecorder) Login(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockAuthMethodMockRecorder) Login(ctx, client any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Login", reflect.TypeOf((*MockAuthMethod)(nil).Login), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Login", reflect.TypeOf((*MockAuthMethod)(nil).Login), ctx, client) } diff --git a/projects/gloo/pkg/bootstrap/clients/vault/renewal_test.go b/projects/gloo/pkg/bootstrap/clients/vault/renewal_test.go index e95c00334d0..68dd89125a5 100644 --- a/projects/gloo/pkg/bootstrap/clients/vault/renewal_test.go +++ b/projects/gloo/pkg/bootstrap/clients/vault/renewal_test.go @@ -5,11 +5,11 @@ import ( "time" "github.com/avast/retry-go" - "github.com/golang/mock/gomock" vault "github.com/hashicorp/vault/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" errors "github.com/rotisserie/eris" + "go.uber.org/mock/gomock" . "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap/clients/vault" "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap/clients/vault/mocks" diff --git a/projects/gloo/pkg/discovery/discovery_test.go b/projects/gloo/pkg/discovery/discovery_test.go index 78eea0bdc4b..b6092ab480c 100644 --- a/projects/gloo/pkg/discovery/discovery_test.go +++ b/projects/gloo/pkg/discovery/discovery_test.go @@ -6,7 +6,6 @@ import ( "github.com/solo-io/gloo/pkg/utils/statusutils" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" @@ -17,6 +16,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/clients/memory" "github.com/solo-io/solo-kit/pkg/api/v1/resources" "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" + "go.uber.org/mock/gomock" . "github.com/solo-io/gloo/projects/gloo/pkg/discovery" ) diff --git a/projects/gloo/pkg/discovery/mocks/mock_discovery.go b/projects/gloo/pkg/discovery/mocks/mock_discovery.go index 9600b5e9e0b..9897defe2d3 100644 --- a/projects/gloo/pkg/discovery/mocks/mock_discovery.go +++ b/projects/gloo/pkg/discovery/mocks/mock_discovery.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/pkg/discovery (interfaces: DiscoveryPlugin) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_discovery.go -package mocks github.com/solo-io/gloo/projects/gloo/pkg/discovery DiscoveryPlugin +// // Package mocks is a generated GoMock package. package mocks @@ -7,17 +12,18 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" discovery "github.com/solo-io/gloo/projects/gloo/pkg/discovery" plugins "github.com/solo-io/gloo/projects/gloo/pkg/plugins" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockDiscoveryPlugin is a mock of DiscoveryPlugin interface. type MockDiscoveryPlugin struct { ctrl *gomock.Controller recorder *MockDiscoveryPluginMockRecorder + isgomock struct{} } // MockDiscoveryPluginMockRecorder is the mock recorder for MockDiscoveryPlugin. @@ -38,9 +44,9 @@ func (m *MockDiscoveryPlugin) EXPECT() *MockDiscoveryPluginMockRecorder { } // DiscoverUpstreams mocks base method. -func (m *MockDiscoveryPlugin) DiscoverUpstreams(arg0 []string, arg1 string, arg2 clients.WatchOpts, arg3 discovery.Opts) (chan v1.UpstreamList, chan error, error) { +func (m *MockDiscoveryPlugin) DiscoverUpstreams(watchNamespaces []string, writeNamespace string, opts clients.WatchOpts, discOpts discovery.Opts) (chan v1.UpstreamList, chan error, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DiscoverUpstreams", arg0, arg1, arg2, arg3) + ret := m.ctrl.Call(m, "DiscoverUpstreams", watchNamespaces, writeNamespace, opts, discOpts) ret0, _ := ret[0].(chan v1.UpstreamList) ret1, _ := ret[1].(chan error) ret2, _ := ret[2].(error) @@ -48,21 +54,21 @@ func (m *MockDiscoveryPlugin) DiscoverUpstreams(arg0 []string, arg1 string, arg2 } // DiscoverUpstreams indicates an expected call of DiscoverUpstreams. -func (mr *MockDiscoveryPluginMockRecorder) DiscoverUpstreams(arg0, arg1, arg2, arg3 interface{}) *gomock.Call { +func (mr *MockDiscoveryPluginMockRecorder) DiscoverUpstreams(watchNamespaces, writeNamespace, opts, discOpts any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DiscoverUpstreams", reflect.TypeOf((*MockDiscoveryPlugin)(nil).DiscoverUpstreams), arg0, arg1, arg2, arg3) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DiscoverUpstreams", reflect.TypeOf((*MockDiscoveryPlugin)(nil).DiscoverUpstreams), watchNamespaces, writeNamespace, opts, discOpts) } // Init mocks base method. -func (m *MockDiscoveryPlugin) Init(arg0 plugins.InitParams) { +func (m *MockDiscoveryPlugin) Init(params plugins.InitParams) { m.ctrl.T.Helper() - m.ctrl.Call(m, "Init", arg0) + m.ctrl.Call(m, "Init", params) } // Init indicates an expected call of Init. -func (mr *MockDiscoveryPluginMockRecorder) Init(arg0 interface{}) *gomock.Call { +func (mr *MockDiscoveryPluginMockRecorder) Init(params any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Init", reflect.TypeOf((*MockDiscoveryPlugin)(nil).Init), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Init", reflect.TypeOf((*MockDiscoveryPlugin)(nil).Init), params) } // Name mocks base method. @@ -80,24 +86,24 @@ func (mr *MockDiscoveryPluginMockRecorder) Name() *gomock.Call { } // UpdateUpstream mocks base method. -func (m *MockDiscoveryPlugin) UpdateUpstream(arg0, arg1 *v1.Upstream) (bool, error) { +func (m *MockDiscoveryPlugin) UpdateUpstream(original, desired *v1.Upstream) (bool, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateUpstream", arg0, arg1) + ret := m.ctrl.Call(m, "UpdateUpstream", original, desired) ret0, _ := ret[0].(bool) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateUpstream indicates an expected call of UpdateUpstream. -func (mr *MockDiscoveryPluginMockRecorder) UpdateUpstream(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockDiscoveryPluginMockRecorder) UpdateUpstream(original, desired any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUpstream", reflect.TypeOf((*MockDiscoveryPlugin)(nil).UpdateUpstream), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUpstream", reflect.TypeOf((*MockDiscoveryPlugin)(nil).UpdateUpstream), original, desired) } // WatchEndpoints mocks base method. -func (m *MockDiscoveryPlugin) WatchEndpoints(arg0 string, arg1 v1.UpstreamList, arg2 clients.WatchOpts) (<-chan v1.EndpointList, <-chan error, error) { +func (m *MockDiscoveryPlugin) WatchEndpoints(writeNamespace string, upstreamsToTrack v1.UpstreamList, opts clients.WatchOpts) (<-chan v1.EndpointList, <-chan error, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "WatchEndpoints", arg0, arg1, arg2) + ret := m.ctrl.Call(m, "WatchEndpoints", writeNamespace, upstreamsToTrack, opts) ret0, _ := ret[0].(<-chan v1.EndpointList) ret1, _ := ret[1].(<-chan error) ret2, _ := ret[2].(error) @@ -105,7 +111,7 @@ func (m *MockDiscoveryPlugin) WatchEndpoints(arg0 string, arg1 v1.UpstreamList, } // WatchEndpoints indicates an expected call of WatchEndpoints. -func (mr *MockDiscoveryPluginMockRecorder) WatchEndpoints(arg0, arg1, arg2 interface{}) *gomock.Call { +func (mr *MockDiscoveryPluginMockRecorder) WatchEndpoints(writeNamespace, upstreamsToTrack, opts any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WatchEndpoints", reflect.TypeOf((*MockDiscoveryPlugin)(nil).WatchEndpoints), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WatchEndpoints", reflect.TypeOf((*MockDiscoveryPlugin)(nil).WatchEndpoints), writeNamespace, upstreamsToTrack, opts) } diff --git a/projects/gloo/pkg/mocks/mock_artifact_client.go b/projects/gloo/pkg/mocks/mock_artifact_client.go index 57e61f94b8e..848d0827019 100644 --- a/projects/gloo/pkg/mocks/mock_artifact_client.go +++ b/projects/gloo/pkg/mocks/mock_artifact_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockArtifactClient is a mock of ArtifactClient interface diff --git a/projects/gloo/pkg/mocks/mock_endpoint_client.go b/projects/gloo/pkg/mocks/mock_endpoint_client.go index 66f25fb545a..5cf7a312d3d 100644 --- a/projects/gloo/pkg/mocks/mock_endpoint_client.go +++ b/projects/gloo/pkg/mocks/mock_endpoint_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockEndpointClient is a mock of EndpointClient interface diff --git a/projects/gloo/pkg/mocks/mock_proxy_client.go b/projects/gloo/pkg/mocks/mock_proxy_client.go index 7572798f1a0..f0c97c27807 100644 --- a/projects/gloo/pkg/mocks/mock_proxy_client.go +++ b/projects/gloo/pkg/mocks/mock_proxy_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockProxyClient is a mock of ProxyClient interface diff --git a/projects/gloo/pkg/mocks/mock_secret_client.go b/projects/gloo/pkg/mocks/mock_secret_client.go index 0fcd27b2299..90a0a2129aa 100644 --- a/projects/gloo/pkg/mocks/mock_secret_client.go +++ b/projects/gloo/pkg/mocks/mock_secret_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockSecretClient is a mock of SecretClient interface diff --git a/projects/gloo/pkg/mocks/mock_settings_client.go b/projects/gloo/pkg/mocks/mock_settings_client.go index dbca0e1a67a..f301b816b49 100644 --- a/projects/gloo/pkg/mocks/mock_settings_client.go +++ b/projects/gloo/pkg/mocks/mock_settings_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockSettingsClient is a mock of SettingsClient interface diff --git a/projects/gloo/pkg/mocks/mock_upstream_client.go b/projects/gloo/pkg/mocks/mock_upstream_client.go index 6ac387cdf44..224c435e12a 100644 --- a/projects/gloo/pkg/mocks/mock_upstream_client.go +++ b/projects/gloo/pkg/mocks/mock_upstream_client.go @@ -7,9 +7,9 @@ package mocks import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" clients "github.com/solo-io/solo-kit/pkg/api/v1/clients" + gomock "go.uber.org/mock/gomock" ) // MockUpstreamClient is a mock of UpstreamClient interface diff --git a/projects/gloo/pkg/plugins/consul/eds_test.go b/projects/gloo/pkg/plugins/consul/eds_test.go index ca8ab033358..ebf226ef576 100644 --- a/projects/gloo/pkg/plugins/consul/eds_test.go +++ b/projects/gloo/pkg/plugins/consul/eds_test.go @@ -23,7 +23,6 @@ import ( . "github.com/solo-io/gloo/projects/gloo/constants" - "github.com/golang/mock/gomock" consulapi "github.com/hashicorp/consul/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -34,6 +33,7 @@ import ( . "github.com/solo-io/gloo/test/gomega" "github.com/solo-io/solo-kit/pkg/api/v1/clients" "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" + "go.uber.org/mock/gomock" "golang.org/x/sync/errgroup" ) diff --git a/projects/gloo/pkg/plugins/consul/mocks/dnsresolver_mock.go b/projects/gloo/pkg/plugins/consul/mocks/dnsresolver_mock.go index c04f4959d89..e6c93ae1ff1 100644 --- a/projects/gloo/pkg/plugins/consul/mocks/dnsresolver_mock.go +++ b/projects/gloo/pkg/plugins/consul/mocks/dnsresolver_mock.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/pkg/plugins/consul (interfaces: DnsResolver) +// +// Generated by this command: +// +// mockgen -destination ./mocks/dnsresolver_mock.go github.com/solo-io/gloo/projects/gloo/pkg/plugins/consul DnsResolver +// // Package mock_consul is a generated GoMock package. package mock_consul @@ -9,13 +14,14 @@ import ( net "net" reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" ) // MockDnsResolver is a mock of DnsResolver interface. type MockDnsResolver struct { ctrl *gomock.Controller recorder *MockDnsResolverMockRecorder + isgomock struct{} } // MockDnsResolverMockRecorder is the mock recorder for MockDnsResolver. @@ -36,16 +42,16 @@ func (m *MockDnsResolver) EXPECT() *MockDnsResolverMockRecorder { } // Resolve mocks base method. -func (m *MockDnsResolver) Resolve(arg0 context.Context, arg1 string) ([]net.IPAddr, error) { +func (m *MockDnsResolver) Resolve(ctx context.Context, address string) ([]net.IPAddr, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Resolve", arg0, arg1) + ret := m.ctrl.Call(m, "Resolve", ctx, address) ret0, _ := ret[0].([]net.IPAddr) ret1, _ := ret[1].(error) return ret0, ret1 } // Resolve indicates an expected call of Resolve. -func (mr *MockDnsResolverMockRecorder) Resolve(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockDnsResolverMockRecorder) Resolve(ctx, address any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Resolve", reflect.TypeOf((*MockDnsResolver)(nil).Resolve), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Resolve", reflect.TypeOf((*MockDnsResolver)(nil).Resolve), ctx, address) } diff --git a/projects/gloo/pkg/plugins/consul/plugin_test.go b/projects/gloo/pkg/plugins/consul/plugin_test.go index 3004be2b48a..ecc9c0fede5 100644 --- a/projects/gloo/pkg/plugins/consul/plugin_test.go +++ b/projects/gloo/pkg/plugins/consul/plugin_test.go @@ -10,11 +10,11 @@ import ( mock_consul2 "github.com/solo-io/gloo/projects/gloo/pkg/plugins/consul/mocks" - "github.com/golang/mock/gomock" consulapi "github.com/hashicorp/consul/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" mock_consul "github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul/mocks" + "go.uber.org/mock/gomock" ) var _ = Describe("Resolve", func() { diff --git a/projects/gloo/pkg/plugins/kubernetes/eds_test.go b/projects/gloo/pkg/plugins/kubernetes/eds_test.go index a74bf718280..e7ff083572b 100644 --- a/projects/gloo/pkg/plugins/kubernetes/eds_test.go +++ b/projects/gloo/pkg/plugins/kubernetes/eds_test.go @@ -4,10 +4,10 @@ import ( "context" "os" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/solo-io/gloo/projects/gloo/constants" + "go.uber.org/mock/gomock" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" diff --git a/projects/gloo/pkg/plugins/kubernetes/mocks/kubesharedfactory_mock.go b/projects/gloo/pkg/plugins/kubernetes/mocks/kubesharedfactory_mock.go index 1a26307ed1b..3d3ff844b30 100644 --- a/projects/gloo/pkg/plugins/kubernetes/mocks/kubesharedfactory_mock.go +++ b/projects/gloo/pkg/plugins/kubernetes/mocks/kubesharedfactory_mock.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/pkg/plugins/kubernetes (interfaces: KubePluginSharedFactory) +// +// Generated by this command: +// +// mockgen -destination ./mocks/kubesharedfactory_mock.go github.com/solo-io/gloo/projects/gloo/pkg/plugins/kubernetes KubePluginSharedFactory +// // Package mock_kubernetes is a generated GoMock package. package mock_kubernetes @@ -7,7 +12,7 @@ package mock_kubernetes import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" v1 "k8s.io/client-go/listers/core/v1" ) @@ -15,6 +20,7 @@ import ( type MockKubePluginSharedFactory struct { ctrl *gomock.Controller recorder *MockKubePluginSharedFactoryMockRecorder + isgomock struct{} } // MockKubePluginSharedFactoryMockRecorder is the mock recorder for MockKubePluginSharedFactory. @@ -35,17 +41,17 @@ func (m *MockKubePluginSharedFactory) EXPECT() *MockKubePluginSharedFactoryMockR } // EndpointsLister mocks base method. -func (m *MockKubePluginSharedFactory) EndpointsLister(arg0 string) v1.EndpointsLister { +func (m *MockKubePluginSharedFactory) EndpointsLister(ns string) v1.EndpointsLister { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "EndpointsLister", arg0) + ret := m.ctrl.Call(m, "EndpointsLister", ns) ret0, _ := ret[0].(v1.EndpointsLister) return ret0 } // EndpointsLister indicates an expected call of EndpointsLister. -func (mr *MockKubePluginSharedFactoryMockRecorder) EndpointsLister(arg0 interface{}) *gomock.Call { +func (mr *MockKubePluginSharedFactoryMockRecorder) EndpointsLister(ns any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EndpointsLister", reflect.TypeOf((*MockKubePluginSharedFactory)(nil).EndpointsLister), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EndpointsLister", reflect.TypeOf((*MockKubePluginSharedFactory)(nil).EndpointsLister), ns) } // Subscribe mocks base method. @@ -69,7 +75,7 @@ func (m *MockKubePluginSharedFactory) Unsubscribe(arg0 <-chan struct{}) { } // Unsubscribe indicates an expected call of Unsubscribe. -func (mr *MockKubePluginSharedFactoryMockRecorder) Unsubscribe(arg0 interface{}) *gomock.Call { +func (mr *MockKubePluginSharedFactoryMockRecorder) Unsubscribe(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unsubscribe", reflect.TypeOf((*MockKubePluginSharedFactory)(nil).Unsubscribe), arg0) } diff --git a/projects/gloo/pkg/plugins/loadbalancer/plugin_test.go b/projects/gloo/pkg/plugins/loadbalancer/plugin_test.go index 98c36b85075..983fe7acbbe 100644 --- a/projects/gloo/pkg/plugins/loadbalancer/plugin_test.go +++ b/projects/gloo/pkg/plugins/loadbalancer/plugin_test.go @@ -118,8 +118,7 @@ var _ = Describe("Plugin", func() { // sample user config sampleInputYaml := `apiVersion: gloo.solo.io/v1 kind: Upstream -metadata: - creationTimestamp: null +metadata: {} spec: loadBalancerConfig: leastRequest: @@ -207,8 +206,7 @@ status: {} // sample user config sampleInputYaml := `apiVersion: gloo.solo.io/v1 kind: Upstream -metadata: - creationTimestamp: null +metadata: {} spec: loadBalancerConfig: roundRobin: @@ -263,8 +261,7 @@ status: {} // sample user config sampleInputYaml := `apiVersion: gloo.solo.io/v1 kind: Upstream -metadata: - creationTimestamp: null +metadata: {} spec: loadBalancerConfig: ringHash: @@ -310,8 +307,7 @@ status: {} // sample user config sampleInputYaml := `apiVersion: gloo.solo.io/v1 kind: Upstream -metadata: - creationTimestamp: null +metadata: {} spec: loadBalancerConfig: maglev: {} @@ -475,8 +471,7 @@ status: {} // sample user config sampleInputYaml := `apiVersion: gateway.solo.io/v1 kind: VirtualService -metadata: - creationTimestamp: null +metadata: {} spec: virtualHost: routes: diff --git a/projects/gloo/pkg/plugins/tcp/plugin_test.go b/projects/gloo/pkg/plugins/tcp/plugin_test.go index b3ccb57e1a9..dc75ddcb6ab 100644 --- a/projects/gloo/pkg/plugins/tcp/plugin_test.go +++ b/projects/gloo/pkg/plugins/tcp/plugin_test.go @@ -8,7 +8,6 @@ import ( envoy_extensions_filters_network_sni_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/sni_cluster/v3" envoytcp "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/tcp_proxy/v3" envoyauth "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" - "github.com/golang/mock/gomock" "github.com/golang/protobuf/ptypes/duration" "github.com/golang/protobuf/ptypes/empty" "github.com/golang/protobuf/ptypes/wrappers" @@ -26,6 +25,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" "github.com/solo-io/solo-kit/pkg/utils/prototime" "github.com/solo-io/solo-kit/test/matchers" + "go.uber.org/mock/gomock" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" ) diff --git a/projects/gloo/pkg/servers/iosnapshot/history_test.go b/projects/gloo/pkg/servers/iosnapshot/history_test.go index 43376309155..82a6d2ca71b 100644 --- a/projects/gloo/pkg/servers/iosnapshot/history_test.go +++ b/projects/gloo/pkg/servers/iosnapshot/history_test.go @@ -163,11 +163,9 @@ var _ = Describe("History", func() { clientObjects := []client.Object{ &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-secret", - Namespace: "secret", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-secret", + Namespace: "secret", + ManagedFields: testManagedFields("v1"), }, Data: map[string][]byte{ "key": []byte("sensitive-data"), @@ -175,11 +173,9 @@ var _ = Describe("History", func() { }, &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-configmap", - Namespace: "configmap", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-configmap", + Namespace: "configmap", + ManagedFields: testManagedFields("v1"), }, Data: map[string]string{ "key": "value", @@ -187,182 +183,142 @@ var _ = Describe("History", func() { }, &apiv1.Gateway{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-gw", - Namespace: "a", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-gw", + Namespace: "a", + ManagedFields: testManagedFields("gateway.networking.k8s.io/v1"), }, }, &apiv1.GatewayClass{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-gw-class", - Namespace: "c", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-gw-class", + Namespace: "c", + ManagedFields: testManagedFields("gateway.networking.k8s.io/v1"), }, }, &apiv1.HTTPRoute{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-http-route", - Namespace: "b", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-http-route", + Namespace: "b", + ManagedFields: testManagedFields("gateway.networking.k8s.io/v1"), }, }, &apiv1beta1.ReferenceGrant{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-ref-grant", - Namespace: "d", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-ref-grant", + Namespace: "d", + ManagedFields: testManagedFields("gateway.networking.k8s.io/v1beta1"), }, }, &v1alpha1.GatewayParameters{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-gwp", - Namespace: "e", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-gwp", + Namespace: "e", + ManagedFields: testManagedFields("gateway.gloo.solo.io/v1alpha1"), }, }, &gatewaykubev1.ListenerOption{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-lo", - Namespace: "f", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-lo", + Namespace: "f", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.HttpListenerOption{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-hlo", - Namespace: "g", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-hlo", + Namespace: "g", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.VirtualHostOption{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-vho", - Namespace: "i", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-vho", + Namespace: "i", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.RouteOption{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-rto", - Namespace: "h", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-rto", + Namespace: "h", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &extauthkubev1.AuthConfig{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-ac", - Namespace: "j", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-ac", + Namespace: "j", + ManagedFields: testManagedFields("enterprise.gloo.solo.io/v1"), }, }, &rlv1alpha1.RateLimitConfig{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-rlc", - Namespace: "k", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-rlc", + Namespace: "k", + ManagedFields: testManagedFields("ratelimit.solo.io/v1alpha1"), }, }, &gloov1.Settings{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-settings", - Namespace: "settings", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-settings", + Namespace: "settings", + ManagedFields: testManagedFields("gloo.solo.io/v1"), }, }, &gloov1.Upstream{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-upstream", - Namespace: "upstream", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-upstream", + Namespace: "upstream", + ManagedFields: testManagedFields("gloo.solo.io/v1"), }, }, &gloov1.UpstreamGroup{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-upstreamgroup", - Namespace: "upstreamgroup", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-upstreamgroup", + Namespace: "upstreamgroup", + ManagedFields: testManagedFields("gloo.solo.io/v1"), }, }, &gloov1.Proxy{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-proxy", - Namespace: "proxy", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-proxy", + Namespace: "proxy", + ManagedFields: testManagedFields("gloo.solo.io/v1"), }, }, &gatewaykubev1.Gateway{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-edgegateway", - Namespace: "edgegateway", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-edgegateway", + Namespace: "edgegateway", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.MatchableHttpGateway{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-httpgateway", - Namespace: "httpgateway", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-httpgateway", + Namespace: "httpgateway", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.MatchableTcpGateway{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-tcpgateway", - Namespace: "tcpgateway", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-tcpgateway", + Namespace: "tcpgateway", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.VirtualService{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-virtualservice", - Namespace: "virtualservice", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-virtualservice", + Namespace: "virtualservice", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, &gatewaykubev1.RouteTable{ ObjectMeta: metav1.ObjectMeta{ - Name: "kube-routetable", - Namespace: "routetable", - ManagedFields: []metav1.ManagedFieldsEntry{{ - Manager: "manager", - }}, + Name: "kube-routetable", + Namespace: "routetable", + ManagedFields: testManagedFields("gateway.solo.io/v1"), }, }, } @@ -838,3 +794,17 @@ func simpleObjectMatcher(gvk schema.GroupVersionKind, namespacedName types.Names })), ) } + +func testManagedFields(apiVersion string) []metav1.ManagedFieldsEntry { + return []metav1.ManagedFieldsEntry{ + { + Manager: "manager", + Operation: "Update", + APIVersion: apiVersion, + FieldsType: "FieldsV1", + FieldsV1: &metav1.FieldsV1{ + Raw: []byte(`{"f:metadata":{"f:name":{}}}`), + }, + }, + } +} diff --git a/projects/gloo/pkg/servers/iosnapshot/response_test.go b/projects/gloo/pkg/servers/iosnapshot/response_test.go index 7a8b41a66b6..1f12824e71a 100644 --- a/projects/gloo/pkg/servers/iosnapshot/response_test.go +++ b/projects/gloo/pkg/servers/iosnapshot/response_test.go @@ -46,6 +46,6 @@ var _ = Describe("SnapshotResponseData", func() { }, Error: nil, }, - "{\"data\":[{\"kind\":\"kind\",\"apiVersion\":\"version\",\"metadata\":{\"name\":\"name\",\"namespace\":\"namespace\",\"creationTimestamp\":null,\"managedFields\":[{\"manager\":\"manager\"}]},\"status\":null,\"spec\":null}],\"error\":\"\"}"), + "{\"data\":[{\"kind\":\"kind\",\"apiVersion\":\"version\",\"metadata\":{\"name\":\"name\",\"namespace\":\"namespace\",\"managedFields\":[{\"manager\":\"manager\"}]},\"status\":null,\"spec\":null}],\"error\":\"\"}"), ) }) diff --git a/projects/gloo/pkg/translator/listener_subsystem_test.go b/projects/gloo/pkg/translator/listener_subsystem_test.go index 91d68b0890a..4d32c8dc63e 100644 --- a/projects/gloo/pkg/translator/listener_subsystem_test.go +++ b/projects/gloo/pkg/translator/listener_subsystem_test.go @@ -7,8 +7,8 @@ import ( envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" envoy_http_connection_manager_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" - "github.com/golang/mock/gomock" "github.com/golang/protobuf/ptypes/wrappers" + "go.uber.org/mock/gomock" "google.golang.org/protobuf/types/known/wrapperspb" . "github.com/onsi/ginkgo/v2" diff --git a/projects/gloo/pkg/translator/performance_test.go b/projects/gloo/pkg/translator/performance_test.go index 8df15f8742b..a5ec76a4841 100644 --- a/projects/gloo/pkg/translator/performance_test.go +++ b/projects/gloo/pkg/translator/performance_test.go @@ -15,7 +15,6 @@ import ( "github.com/onsi/gomega/types" "github.com/solo-io/gloo/test/gomega/matchers" - "github.com/golang/mock/gomock" "github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/validation" "github.com/solo-io/gloo/projects/gloo/pkg/bootstrap" "github.com/solo-io/gloo/projects/gloo/pkg/plugins/registry" @@ -26,6 +25,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/clients/memory" "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache" "github.com/solo-io/solo-kit/pkg/api/v2/reporter" + "go.uber.org/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/projects/gloo/pkg/translator/translator_test.go b/projects/gloo/pkg/translator/translator_test.go index 2aab04c948c..45dd41a06e0 100644 --- a/projects/gloo/pkg/translator/translator_test.go +++ b/projects/gloo/pkg/translator/translator_test.go @@ -19,7 +19,6 @@ import ( envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" - "github.com/golang/mock/gomock" "github.com/golang/protobuf/proto" "github.com/golang/protobuf/ptypes/duration" _struct "github.com/golang/protobuf/ptypes/struct" @@ -28,6 +27,7 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" gomega_types "github.com/onsi/gomega/types" + "go.uber.org/mock/gomock" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" corev1 "k8s.io/api/core/v1" diff --git a/projects/gloo/pkg/upstreams/consul/consul_client_test.go b/projects/gloo/pkg/upstreams/consul/consul_client_test.go index d8d98a6c9e6..a3f77cdace3 100644 --- a/projects/gloo/pkg/upstreams/consul/consul_client_test.go +++ b/projects/gloo/pkg/upstreams/consul/consul_client_test.go @@ -3,12 +3,12 @@ package consul_test import ( "context" - "github.com/golang/mock/gomock" "github.com/hashicorp/consul/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul" mock_consul "github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul/mocks" + "go.uber.org/mock/gomock" ) var _ = Describe("ClientWrapper", func() { diff --git a/projects/gloo/pkg/upstreams/consul/mocks/mock_consul_client.go b/projects/gloo/pkg/upstreams/consul/mocks/mock_consul_client.go index 330892092f5..ad6612205f1 100644 --- a/projects/gloo/pkg/upstreams/consul/mocks/mock_consul_client.go +++ b/projects/gloo/pkg/upstreams/consul/mocks/mock_consul_client.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: consul_client.go +// +// Generated by this command: +// +// mockgen -destination=./mocks/mock_consul_client.go -source consul_client.go +// // Package mock_consul is a generated GoMock package. package mock_consul @@ -7,14 +12,15 @@ package mock_consul import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" api "github.com/hashicorp/consul/api" + gomock "go.uber.org/mock/gomock" ) // MockClientWrapper is a mock of ClientWrapper interface. type MockClientWrapper struct { ctrl *gomock.Controller recorder *MockClientWrapperMockRecorder + isgomock struct{} } // MockClientWrapperMockRecorder is the mock recorder for MockClientWrapper. @@ -45,7 +51,7 @@ func (m *MockClientWrapper) Connect(service, tag string, q *api.QueryOptions) ([ } // Connect indicates an expected call of Connect. -func (mr *MockClientWrapperMockRecorder) Connect(service, tag, q interface{}) *gomock.Call { +func (mr *MockClientWrapperMockRecorder) Connect(service, tag, q any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Connect", reflect.TypeOf((*MockClientWrapper)(nil).Connect), service, tag, q) } @@ -76,7 +82,7 @@ func (m *MockClientWrapper) Service(service, tag string, q *api.QueryOptions) ([ } // Service indicates an expected call of Service. -func (mr *MockClientWrapperMockRecorder) Service(service, tag, q interface{}) *gomock.Call { +func (mr *MockClientWrapperMockRecorder) Service(service, tag, q any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Service", reflect.TypeOf((*MockClientWrapper)(nil).Service), service, tag, q) } @@ -92,7 +98,7 @@ func (m *MockClientWrapper) Services(q *api.QueryOptions) (map[string][]string, } // Services indicates an expected call of Services. -func (mr *MockClientWrapperMockRecorder) Services(q interface{}) *gomock.Call { +func (mr *MockClientWrapperMockRecorder) Services(q any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Services", reflect.TypeOf((*MockClientWrapper)(nil).Services), q) } diff --git a/projects/gloo/pkg/upstreams/consul/mocks/mock_watcher.go b/projects/gloo/pkg/upstreams/consul/mocks/mock_watcher.go index 5f7ee5e4857..53007a782b1 100644 --- a/projects/gloo/pkg/upstreams/consul/mocks/mock_watcher.go +++ b/projects/gloo/pkg/upstreams/consul/mocks/mock_watcher.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: watcher.go +// +// Generated by this command: +// +// mockgen -destination ./mocks/mock_watcher.go -source watcher.go -aux_files github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul=./consul_client.go +// // Package mock_consul is a generated GoMock package. package mock_consul @@ -8,16 +13,17 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" api "github.com/hashicorp/consul/api" consul "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/options/consul" consul0 "github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul" + gomock "go.uber.org/mock/gomock" ) // MockConsulWatcher is a mock of ConsulWatcher interface. type MockConsulWatcher struct { ctrl *gomock.Controller recorder *MockConsulWatcherMockRecorder + isgomock struct{} } // MockConsulWatcherMockRecorder is the mock recorder for MockConsulWatcher. @@ -48,7 +54,7 @@ func (m *MockConsulWatcher) Connect(service, tag string, q *api.QueryOptions) ([ } // Connect indicates an expected call of Connect. -func (mr *MockConsulWatcherMockRecorder) Connect(service, tag, q interface{}) *gomock.Call { +func (mr *MockConsulWatcherMockRecorder) Connect(service, tag, q any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Connect", reflect.TypeOf((*MockConsulWatcher)(nil).Connect), service, tag, q) } @@ -79,7 +85,7 @@ func (m *MockConsulWatcher) Service(service, tag string, q *api.QueryOptions) ([ } // Service indicates an expected call of Service. -func (mr *MockConsulWatcherMockRecorder) Service(service, tag, q interface{}) *gomock.Call { +func (mr *MockConsulWatcherMockRecorder) Service(service, tag, q any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Service", reflect.TypeOf((*MockConsulWatcher)(nil).Service), service, tag, q) } @@ -95,7 +101,7 @@ func (m *MockConsulWatcher) Services(q *api.QueryOptions) (map[string][]string, } // Services indicates an expected call of Services. -func (mr *MockConsulWatcherMockRecorder) Services(q interface{}) *gomock.Call { +func (mr *MockConsulWatcherMockRecorder) Services(q any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Services", reflect.TypeOf((*MockConsulWatcher)(nil).Services), q) } @@ -110,7 +116,7 @@ func (m *MockConsulWatcher) WatchServices(ctx context.Context, dataCenters []str } // WatchServices indicates an expected call of WatchServices. -func (mr *MockConsulWatcherMockRecorder) WatchServices(ctx, dataCenters, cm, queryOpts interface{}) *gomock.Call { +func (mr *MockConsulWatcherMockRecorder) WatchServices(ctx, dataCenters, cm, queryOpts any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WatchServices", reflect.TypeOf((*MockConsulWatcher)(nil).WatchServices), ctx, dataCenters, cm, queryOpts) } diff --git a/projects/gloo/pkg/upstreams/consul/upstream_client_test.go b/projects/gloo/pkg/upstreams/consul/upstream_client_test.go index dc67b968457..1bcef47d979 100644 --- a/projects/gloo/pkg/upstreams/consul/upstream_client_test.go +++ b/projects/gloo/pkg/upstreams/consul/upstream_client_test.go @@ -9,11 +9,11 @@ import ( "github.com/solo-io/gloo/projects/gloo/pkg/defaults" - "github.com/golang/mock/gomock" consulapi "github.com/hashicorp/consul/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/solo-io/gloo/test/gomega" + "go.uber.org/mock/gomock" "github.com/rotisserie/eris" . "github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul" diff --git a/projects/gloo/pkg/upstreams/hybrid_client_test.go b/projects/gloo/pkg/upstreams/hybrid_client_test.go index f7ad37c5499..a8bbe29ddf3 100644 --- a/projects/gloo/pkg/upstreams/hybrid_client_test.go +++ b/projects/gloo/pkg/upstreams/hybrid_client_test.go @@ -8,7 +8,6 @@ import ( "github.com/rotisserie/eris" mock_consul "github.com/solo-io/gloo/projects/gloo/pkg/upstreams/consul/mocks" - "github.com/golang/mock/gomock" "github.com/hashicorp/consul/api" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -20,6 +19,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/clients/factory" "github.com/solo-io/solo-kit/pkg/api/v1/clients/memory" skkube "github.com/solo-io/solo-kit/pkg/api/v1/resources/common/kubernetes" + "go.uber.org/mock/gomock" ) var _ = Describe("Hybrid Upstream Client", func() { diff --git a/projects/gloo/pkg/utils/mocks/mock_ssl.go b/projects/gloo/pkg/utils/mocks/mock_ssl.go index c63ee8022a4..71cda3e4ed7 100644 --- a/projects/gloo/pkg/utils/mocks/mock_ssl.go +++ b/projects/gloo/pkg/utils/mocks/mock_ssl.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/pkg/utils (interfaces: SslConfigTranslator) +// +// Generated by this command: +// +// mockgen -destination mocks/mock_ssl.go github.com/solo-io/gloo/projects/gloo/pkg/utils SslConfigTranslator +// // Package mock_utils is a generated GoMock package. package mock_utils @@ -8,16 +13,17 @@ import ( reflect "reflect" tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" - gomock "github.com/golang/mock/gomock" v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1" ssl "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/ssl" utils "github.com/solo-io/gloo/projects/gloo/pkg/utils" + gomock "go.uber.org/mock/gomock" ) // MockSslConfigTranslator is a mock of SslConfigTranslator interface. type MockSslConfigTranslator struct { ctrl *gomock.Controller recorder *MockSslConfigTranslatorMockRecorder + isgomock struct{} } // MockSslConfigTranslatorMockRecorder is the mock recorder for MockSslConfigTranslator. @@ -38,61 +44,61 @@ func (m *MockSslConfigTranslator) EXPECT() *MockSslConfigTranslatorMockRecorder } // ResolveCommonSslConfig mocks base method. -func (m *MockSslConfigTranslator) ResolveCommonSslConfig(arg0 utils.CertSource, arg1 v1.SecretList, arg2 bool) (*tlsv3.CommonTlsContext, error) { +func (m *MockSslConfigTranslator) ResolveCommonSslConfig(cs utils.CertSource, secrets v1.SecretList, mustHaveCert bool) (*tlsv3.CommonTlsContext, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ResolveCommonSslConfig", arg0, arg1, arg2) + ret := m.ctrl.Call(m, "ResolveCommonSslConfig", cs, secrets, mustHaveCert) ret0, _ := ret[0].(*tlsv3.CommonTlsContext) ret1, _ := ret[1].(error) return ret0, ret1 } // ResolveCommonSslConfig indicates an expected call of ResolveCommonSslConfig. -func (mr *MockSslConfigTranslatorMockRecorder) ResolveCommonSslConfig(arg0, arg1, arg2 interface{}) *gomock.Call { +func (mr *MockSslConfigTranslatorMockRecorder) ResolveCommonSslConfig(cs, secrets, mustHaveCert any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveCommonSslConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveCommonSslConfig), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveCommonSslConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveCommonSslConfig), cs, secrets, mustHaveCert) } // ResolveDownstreamSslConfig mocks base method. -func (m *MockSslConfigTranslator) ResolveDownstreamSslConfig(arg0 v1.SecretList, arg1 *ssl.SslConfig) (*tlsv3.DownstreamTlsContext, error) { +func (m *MockSslConfigTranslator) ResolveDownstreamSslConfig(secrets v1.SecretList, dc *ssl.SslConfig) (*tlsv3.DownstreamTlsContext, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ResolveDownstreamSslConfig", arg0, arg1) + ret := m.ctrl.Call(m, "ResolveDownstreamSslConfig", secrets, dc) ret0, _ := ret[0].(*tlsv3.DownstreamTlsContext) ret1, _ := ret[1].(error) return ret0, ret1 } // ResolveDownstreamSslConfig indicates an expected call of ResolveDownstreamSslConfig. -func (mr *MockSslConfigTranslatorMockRecorder) ResolveDownstreamSslConfig(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockSslConfigTranslatorMockRecorder) ResolveDownstreamSslConfig(secrets, dc any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveDownstreamSslConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveDownstreamSslConfig), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveDownstreamSslConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveDownstreamSslConfig), secrets, dc) } // ResolveSslParamsConfig mocks base method. -func (m *MockSslConfigTranslator) ResolveSslParamsConfig(arg0 *ssl.SslParameters) (*tlsv3.TlsParameters, error) { +func (m *MockSslConfigTranslator) ResolveSslParamsConfig(params *ssl.SslParameters) (*tlsv3.TlsParameters, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ResolveSslParamsConfig", arg0) + ret := m.ctrl.Call(m, "ResolveSslParamsConfig", params) ret0, _ := ret[0].(*tlsv3.TlsParameters) ret1, _ := ret[1].(error) return ret0, ret1 } // ResolveSslParamsConfig indicates an expected call of ResolveSslParamsConfig. -func (mr *MockSslConfigTranslatorMockRecorder) ResolveSslParamsConfig(arg0 interface{}) *gomock.Call { +func (mr *MockSslConfigTranslatorMockRecorder) ResolveSslParamsConfig(params any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveSslParamsConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveSslParamsConfig), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveSslParamsConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveSslParamsConfig), params) } // ResolveUpstreamSslConfig mocks base method. -func (m *MockSslConfigTranslator) ResolveUpstreamSslConfig(arg0 v1.SecretList, arg1 *ssl.UpstreamSslConfig) (*tlsv3.UpstreamTlsContext, error) { +func (m *MockSslConfigTranslator) ResolveUpstreamSslConfig(secrets v1.SecretList, uc *ssl.UpstreamSslConfig) (*tlsv3.UpstreamTlsContext, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ResolveUpstreamSslConfig", arg0, arg1) + ret := m.ctrl.Call(m, "ResolveUpstreamSslConfig", secrets, uc) ret0, _ := ret[0].(*tlsv3.UpstreamTlsContext) ret1, _ := ret[1].(error) return ret0, ret1 } // ResolveUpstreamSslConfig indicates an expected call of ResolveUpstreamSslConfig. -func (mr *MockSslConfigTranslatorMockRecorder) ResolveUpstreamSslConfig(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockSslConfigTranslatorMockRecorder) ResolveUpstreamSslConfig(secrets, uc any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveUpstreamSslConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveUpstreamSslConfig), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveUpstreamSslConfig", reflect.TypeOf((*MockSslConfigTranslator)(nil).ResolveUpstreamSslConfig), secrets, uc) } diff --git a/projects/gloo/pkg/validation/server_test.go b/projects/gloo/pkg/validation/server_test.go index f41c40b141e..96c8bc82673 100644 --- a/projects/gloo/pkg/validation/server_test.go +++ b/projects/gloo/pkg/validation/server_test.go @@ -19,7 +19,6 @@ import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "github.com/golang/mock/gomock" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ratelimit "github.com/solo-io/gloo/projects/gloo/pkg/api/external/solo/ratelimit" @@ -43,6 +42,7 @@ import ( "github.com/solo-io/solo-kit/pkg/api/v1/resources/core" "github.com/solo-io/solo-kit/pkg/api/v2/reporter" "github.com/solo-io/solo-kit/test/matchers" + "go.uber.org/mock/gomock" "google.golang.org/grpc" ) diff --git a/test/kubernetes/e2e/features/metrics/edge.go b/test/kubernetes/e2e/features/metrics/edge.go index 768abd57a86..de0ac8a06d2 100644 --- a/test/kubernetes/e2e/features/metrics/edge.go +++ b/test/kubernetes/e2e/features/metrics/edge.go @@ -8,6 +8,7 @@ import ( dto "github.com/prometheus/client_model/go" "github.com/prometheus/common/expfmt" + "github.com/prometheus/common/model" "github.com/solo-io/gloo/pkg/utils/envutils" "github.com/solo-io/gloo/pkg/utils/kubeutils/portforward" "github.com/solo-io/gloo/pkg/utils/statsutils/metrics" @@ -172,7 +173,7 @@ func (s *prometheusMetricsTestingSuite) fetchMetrics() (map[string]*dto.MetricFa s.Require().NotNil(res.Body, "response body is not nil") // parse the response body - var parser expfmt.TextParser + parser := expfmt.NewTextParser(model.LegacyValidation) mf, err := parser.TextToMetricFamilies(res.Body) s.Require().NoError(err, "can parse metrics") diff --git a/test/mocks/cache/corecache.go b/test/mocks/cache/corecache.go index 58748e768e9..3af2c5f5531 100644 --- a/test/mocks/cache/corecache.go +++ b/test/mocks/cache/corecache.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/solo-kit/pkg/api/v1/clients/kube/cache (interfaces: KubeCoreCache) +// +// Generated by this command: +// +// mockgen -destination ./cache/corecache.go github.com/solo-io/solo-kit/pkg/api/v1/clients/kube/cache KubeCoreCache +// // Package mock_cache is a generated GoMock package. package mock_cache @@ -7,8 +12,8 @@ package mock_cache import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" cache "github.com/solo-io/solo-kit/pkg/api/v1/clients/kube/cache" + gomock "go.uber.org/mock/gomock" v1 "k8s.io/client-go/listers/core/v1" ) @@ -16,6 +21,7 @@ import ( type MockKubeCoreCache struct { ctrl *gomock.Controller recorder *MockKubeCoreCacheMockRecorder + isgomock struct{} } // MockKubeCoreCacheMockRecorder is the mock recorder for MockKubeCoreCache. @@ -64,59 +70,59 @@ func (mr *MockKubeCoreCacheMockRecorder) NamespaceLister() *gomock.Call { } // NamespacedConfigMapLister mocks base method. -func (m *MockKubeCoreCache) NamespacedConfigMapLister(arg0 string) cache.ConfigMapLister { +func (m *MockKubeCoreCache) NamespacedConfigMapLister(ns string) cache.ConfigMapLister { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NamespacedConfigMapLister", arg0) + ret := m.ctrl.Call(m, "NamespacedConfigMapLister", ns) ret0, _ := ret[0].(cache.ConfigMapLister) return ret0 } // NamespacedConfigMapLister indicates an expected call of NamespacedConfigMapLister. -func (mr *MockKubeCoreCacheMockRecorder) NamespacedConfigMapLister(arg0 interface{}) *gomock.Call { +func (mr *MockKubeCoreCacheMockRecorder) NamespacedConfigMapLister(ns any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedConfigMapLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedConfigMapLister), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedConfigMapLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedConfigMapLister), ns) } // NamespacedPodLister mocks base method. -func (m *MockKubeCoreCache) NamespacedPodLister(arg0 string) cache.PodLister { +func (m *MockKubeCoreCache) NamespacedPodLister(ns string) cache.PodLister { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NamespacedPodLister", arg0) + ret := m.ctrl.Call(m, "NamespacedPodLister", ns) ret0, _ := ret[0].(cache.PodLister) return ret0 } // NamespacedPodLister indicates an expected call of NamespacedPodLister. -func (mr *MockKubeCoreCacheMockRecorder) NamespacedPodLister(arg0 interface{}) *gomock.Call { +func (mr *MockKubeCoreCacheMockRecorder) NamespacedPodLister(ns any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedPodLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedPodLister), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedPodLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedPodLister), ns) } // NamespacedSecretLister mocks base method. -func (m *MockKubeCoreCache) NamespacedSecretLister(arg0 string) cache.SecretLister { +func (m *MockKubeCoreCache) NamespacedSecretLister(ns string) cache.SecretLister { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NamespacedSecretLister", arg0) + ret := m.ctrl.Call(m, "NamespacedSecretLister", ns) ret0, _ := ret[0].(cache.SecretLister) return ret0 } // NamespacedSecretLister indicates an expected call of NamespacedSecretLister. -func (mr *MockKubeCoreCacheMockRecorder) NamespacedSecretLister(arg0 interface{}) *gomock.Call { +func (mr *MockKubeCoreCacheMockRecorder) NamespacedSecretLister(ns any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedSecretLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedSecretLister), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedSecretLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedSecretLister), ns) } // NamespacedServiceLister mocks base method. -func (m *MockKubeCoreCache) NamespacedServiceLister(arg0 string) cache.ServiceLister { +func (m *MockKubeCoreCache) NamespacedServiceLister(ns string) cache.ServiceLister { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NamespacedServiceLister", arg0) + ret := m.ctrl.Call(m, "NamespacedServiceLister", ns) ret0, _ := ret[0].(cache.ServiceLister) return ret0 } // NamespacedServiceLister indicates an expected call of NamespacedServiceLister. -func (mr *MockKubeCoreCacheMockRecorder) NamespacedServiceLister(arg0 interface{}) *gomock.Call { +func (mr *MockKubeCoreCacheMockRecorder) NamespacedServiceLister(ns any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedServiceLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedServiceLister), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamespacedServiceLister", reflect.TypeOf((*MockKubeCoreCache)(nil).NamespacedServiceLister), ns) } // PodLister mocks base method. @@ -182,7 +188,7 @@ func (m *MockKubeCoreCache) Unsubscribe(arg0 <-chan struct{}) { } // Unsubscribe indicates an expected call of Unsubscribe. -func (mr *MockKubeCoreCacheMockRecorder) Unsubscribe(arg0 interface{}) *gomock.Call { +func (mr *MockKubeCoreCacheMockRecorder) Unsubscribe(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unsubscribe", reflect.TypeOf((*MockKubeCoreCache)(nil).Unsubscribe), arg0) } diff --git a/test/mocks/gloo/validation_client.go b/test/mocks/gloo/validation_client.go index 74f4a4bce9e..99d0e645e39 100644 --- a/test/mocks/gloo/validation_client.go +++ b/test/mocks/gloo/validation_client.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/validation (interfaces: GlooValidationServiceClient) +// +// Generated by this command: +// +// mockgen -destination ./gloo/validation_client.go github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/validation GlooValidationServiceClient +// // Package mock_validation is a generated GoMock package. package mock_validation @@ -8,8 +13,8 @@ import ( context "context" reflect "reflect" - gomock "github.com/golang/mock/gomock" validation "github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/validation" + gomock "go.uber.org/mock/gomock" grpc "google.golang.org/grpc" ) @@ -17,6 +22,7 @@ import ( type MockGlooValidationServiceClient struct { ctrl *gomock.Controller recorder *MockGlooValidationServiceClientMockRecorder + isgomock struct{} } // MockGlooValidationServiceClientMockRecorder is the mock recorder for MockGlooValidationServiceClient. @@ -37,10 +43,10 @@ func (m *MockGlooValidationServiceClient) EXPECT() *MockGlooValidationServiceCli } // NotifyOnResync mocks base method. -func (m *MockGlooValidationServiceClient) NotifyOnResync(arg0 context.Context, arg1 *validation.NotifyOnResyncRequest, arg2 ...grpc.CallOption) (validation.GlooValidationService_NotifyOnResyncClient, error) { +func (m *MockGlooValidationServiceClient) NotifyOnResync(ctx context.Context, in *validation.NotifyOnResyncRequest, opts ...grpc.CallOption) (validation.GlooValidationService_NotifyOnResyncClient, error) { m.ctrl.T.Helper() - varargs := []interface{}{arg0, arg1} - for _, a := range arg2 { + varargs := []any{ctx, in} + for _, a := range opts { varargs = append(varargs, a) } ret := m.ctrl.Call(m, "NotifyOnResync", varargs...) @@ -50,17 +56,17 @@ func (m *MockGlooValidationServiceClient) NotifyOnResync(arg0 context.Context, a } // NotifyOnResync indicates an expected call of NotifyOnResync. -func (mr *MockGlooValidationServiceClientMockRecorder) NotifyOnResync(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { +func (mr *MockGlooValidationServiceClientMockRecorder) NotifyOnResync(ctx, in any, opts ...any) *gomock.Call { mr.mock.ctrl.T.Helper() - varargs := append([]interface{}{arg0, arg1}, arg2...) + varargs := append([]any{ctx, in}, opts...) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NotifyOnResync", reflect.TypeOf((*MockGlooValidationServiceClient)(nil).NotifyOnResync), varargs...) } // Validate mocks base method. -func (m *MockGlooValidationServiceClient) Validate(arg0 context.Context, arg1 *validation.GlooValidationServiceRequest, arg2 ...grpc.CallOption) (*validation.GlooValidationServiceResponse, error) { +func (m *MockGlooValidationServiceClient) Validate(ctx context.Context, in *validation.GlooValidationServiceRequest, opts ...grpc.CallOption) (*validation.GlooValidationServiceResponse, error) { m.ctrl.T.Helper() - varargs := []interface{}{arg0, arg1} - for _, a := range arg2 { + varargs := []any{ctx, in} + for _, a := range opts { varargs = append(varargs, a) } ret := m.ctrl.Call(m, "Validate", varargs...) @@ -70,8 +76,8 @@ func (m *MockGlooValidationServiceClient) Validate(arg0 context.Context, arg1 *v } // Validate indicates an expected call of Validate. -func (mr *MockGlooValidationServiceClientMockRecorder) Validate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { +func (mr *MockGlooValidationServiceClientMockRecorder) Validate(ctx, in any, opts ...any) *gomock.Call { mr.mock.ctrl.T.Helper() - varargs := append([]interface{}{arg0, arg1}, arg2...) + varargs := append([]any{ctx, in}, opts...) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockGlooValidationServiceClient)(nil).Validate), varargs...) } diff --git a/test/mocks/kubernetes/kubeinterface.go b/test/mocks/kubernetes/kubeinterface.go index 5590439a244..02c8e3b73fc 100644 --- a/test/mocks/kubernetes/kubeinterface.go +++ b/test/mocks/kubernetes/kubeinterface.go @@ -1,5 +1,10 @@ // Code generated by MockGen. DO NOT EDIT. // Source: k8s.io/client-go/kubernetes (interfaces: Interface) +// +// Generated by this command: +// +// mockgen -destination ./kubernetes/kubeinterface.go k8s.io/client-go/kubernetes Interface +// // Package mock_kubernetes is a generated GoMock package. package mock_kubernetes @@ -7,7 +12,7 @@ package mock_kubernetes import ( reflect "reflect" - gomock "github.com/golang/mock/gomock" + gomock "go.uber.org/mock/gomock" discovery "k8s.io/client-go/discovery" v1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1" v1alpha1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1" @@ -44,32 +49,33 @@ import ( v1beta20 "k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta2" v1beta3 "k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3" v111 "k8s.io/client-go/kubernetes/typed/networking/v1" - v1alpha13 "k8s.io/client-go/kubernetes/typed/networking/v1alpha1" v1beta110 "k8s.io/client-go/kubernetes/typed/networking/v1beta1" v112 "k8s.io/client-go/kubernetes/typed/node/v1" - v1alpha14 "k8s.io/client-go/kubernetes/typed/node/v1alpha1" + v1alpha13 "k8s.io/client-go/kubernetes/typed/node/v1alpha1" v1beta111 "k8s.io/client-go/kubernetes/typed/node/v1beta1" v113 "k8s.io/client-go/kubernetes/typed/policy/v1" v1beta112 "k8s.io/client-go/kubernetes/typed/policy/v1beta1" v114 "k8s.io/client-go/kubernetes/typed/rbac/v1" - v1alpha15 "k8s.io/client-go/kubernetes/typed/rbac/v1alpha1" + v1alpha14 "k8s.io/client-go/kubernetes/typed/rbac/v1alpha1" v1beta113 "k8s.io/client-go/kubernetes/typed/rbac/v1beta1" + v115 "k8s.io/client-go/kubernetes/typed/resource/v1" v1alpha3 "k8s.io/client-go/kubernetes/typed/resource/v1alpha3" v1beta114 "k8s.io/client-go/kubernetes/typed/resource/v1beta1" v1beta21 "k8s.io/client-go/kubernetes/typed/resource/v1beta2" - v115 "k8s.io/client-go/kubernetes/typed/scheduling/v1" - v1alpha16 "k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1" + v116 "k8s.io/client-go/kubernetes/typed/scheduling/v1" + v1alpha15 "k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1" v1beta115 "k8s.io/client-go/kubernetes/typed/scheduling/v1beta1" - v116 "k8s.io/client-go/kubernetes/typed/storage/v1" - v1alpha17 "k8s.io/client-go/kubernetes/typed/storage/v1alpha1" + v117 "k8s.io/client-go/kubernetes/typed/storage/v1" + v1alpha16 "k8s.io/client-go/kubernetes/typed/storage/v1alpha1" v1beta116 "k8s.io/client-go/kubernetes/typed/storage/v1beta1" - v1alpha18 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1" + v1alpha17 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1" ) // MockInterface is a mock of Interface interface. type MockInterface struct { ctrl *gomock.Controller recorder *MockInterfaceMockRecorder + isgomock struct{} } // MockInterfaceMockRecorder is the mock recorder for MockInterface. @@ -593,20 +599,6 @@ func (mr *MockInterfaceMockRecorder) NetworkingV1() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkingV1", reflect.TypeOf((*MockInterface)(nil).NetworkingV1)) } -// NetworkingV1alpha1 mocks base method. -func (m *MockInterface) NetworkingV1alpha1() v1alpha13.NetworkingV1alpha1Interface { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NetworkingV1alpha1") - ret0, _ := ret[0].(v1alpha13.NetworkingV1alpha1Interface) - return ret0 -} - -// NetworkingV1alpha1 indicates an expected call of NetworkingV1alpha1. -func (mr *MockInterfaceMockRecorder) NetworkingV1alpha1() *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkingV1alpha1", reflect.TypeOf((*MockInterface)(nil).NetworkingV1alpha1)) -} - // NetworkingV1beta1 mocks base method. func (m *MockInterface) NetworkingV1beta1() v1beta110.NetworkingV1beta1Interface { m.ctrl.T.Helper() @@ -636,10 +628,10 @@ func (mr *MockInterfaceMockRecorder) NodeV1() *gomock.Call { } // NodeV1alpha1 mocks base method. -func (m *MockInterface) NodeV1alpha1() v1alpha14.NodeV1alpha1Interface { +func (m *MockInterface) NodeV1alpha1() v1alpha13.NodeV1alpha1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "NodeV1alpha1") - ret0, _ := ret[0].(v1alpha14.NodeV1alpha1Interface) + ret0, _ := ret[0].(v1alpha13.NodeV1alpha1Interface) return ret0 } @@ -706,10 +698,10 @@ func (mr *MockInterfaceMockRecorder) RbacV1() *gomock.Call { } // RbacV1alpha1 mocks base method. -func (m *MockInterface) RbacV1alpha1() v1alpha15.RbacV1alpha1Interface { +func (m *MockInterface) RbacV1alpha1() v1alpha14.RbacV1alpha1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "RbacV1alpha1") - ret0, _ := ret[0].(v1alpha15.RbacV1alpha1Interface) + ret0, _ := ret[0].(v1alpha14.RbacV1alpha1Interface) return ret0 } @@ -733,6 +725,20 @@ func (mr *MockInterfaceMockRecorder) RbacV1beta1() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RbacV1beta1", reflect.TypeOf((*MockInterface)(nil).RbacV1beta1)) } +// ResourceV1 mocks base method. +func (m *MockInterface) ResourceV1() v115.ResourceV1Interface { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ResourceV1") + ret0, _ := ret[0].(v115.ResourceV1Interface) + return ret0 +} + +// ResourceV1 indicates an expected call of ResourceV1. +func (mr *MockInterfaceMockRecorder) ResourceV1() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResourceV1", reflect.TypeOf((*MockInterface)(nil).ResourceV1)) +} + // ResourceV1alpha3 mocks base method. func (m *MockInterface) ResourceV1alpha3() v1alpha3.ResourceV1alpha3Interface { m.ctrl.T.Helper() @@ -776,10 +782,10 @@ func (mr *MockInterfaceMockRecorder) ResourceV1beta2() *gomock.Call { } // SchedulingV1 mocks base method. -func (m *MockInterface) SchedulingV1() v115.SchedulingV1Interface { +func (m *MockInterface) SchedulingV1() v116.SchedulingV1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SchedulingV1") - ret0, _ := ret[0].(v115.SchedulingV1Interface) + ret0, _ := ret[0].(v116.SchedulingV1Interface) return ret0 } @@ -790,10 +796,10 @@ func (mr *MockInterfaceMockRecorder) SchedulingV1() *gomock.Call { } // SchedulingV1alpha1 mocks base method. -func (m *MockInterface) SchedulingV1alpha1() v1alpha16.SchedulingV1alpha1Interface { +func (m *MockInterface) SchedulingV1alpha1() v1alpha15.SchedulingV1alpha1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SchedulingV1alpha1") - ret0, _ := ret[0].(v1alpha16.SchedulingV1alpha1Interface) + ret0, _ := ret[0].(v1alpha15.SchedulingV1alpha1Interface) return ret0 } @@ -818,10 +824,10 @@ func (mr *MockInterfaceMockRecorder) SchedulingV1beta1() *gomock.Call { } // StorageV1 mocks base method. -func (m *MockInterface) StorageV1() v116.StorageV1Interface { +func (m *MockInterface) StorageV1() v117.StorageV1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "StorageV1") - ret0, _ := ret[0].(v116.StorageV1Interface) + ret0, _ := ret[0].(v117.StorageV1Interface) return ret0 } @@ -832,10 +838,10 @@ func (mr *MockInterfaceMockRecorder) StorageV1() *gomock.Call { } // StorageV1alpha1 mocks base method. -func (m *MockInterface) StorageV1alpha1() v1alpha17.StorageV1alpha1Interface { +func (m *MockInterface) StorageV1alpha1() v1alpha16.StorageV1alpha1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "StorageV1alpha1") - ret0, _ := ret[0].(v1alpha17.StorageV1alpha1Interface) + ret0, _ := ret[0].(v1alpha16.StorageV1alpha1Interface) return ret0 } @@ -860,10 +866,10 @@ func (mr *MockInterfaceMockRecorder) StorageV1beta1() *gomock.Call { } // StoragemigrationV1alpha1 mocks base method. -func (m *MockInterface) StoragemigrationV1alpha1() v1alpha18.StoragemigrationV1alpha1Interface { +func (m *MockInterface) StoragemigrationV1alpha1() v1alpha17.StoragemigrationV1alpha1Interface { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "StoragemigrationV1alpha1") - ret0, _ := ret[0].(v1alpha18.StoragemigrationV1alpha1Interface) + ret0, _ := ret[0].(v1alpha17.StoragemigrationV1alpha1Interface) return ret0 } diff --git a/test/services/docker.go b/test/services/docker.go index 50e60e97d38..4f6dd7644bd 100644 --- a/test/services/docker.go +++ b/test/services/docker.go @@ -36,6 +36,8 @@ func RunContainer(containerName string, args []string) error { cmd := exec.Command("docker", runArgs...) cmd.Stdout = ginkgo.GinkgoWriter cmd.Stderr = ginkgo.GinkgoWriter + // Set DOCKER_API_VERSION for compatibility with older Docker daemons + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") err := cmd.Run() if err != nil { return errors.Wrap(err, "Unable to start "+containerName+" container") @@ -46,6 +48,8 @@ func RunContainer(containerName string, args []string) error { // ContainerExistsWithName returns an empty string if the container does not exist func ContainerExistsWithName(containerName string) string { cmd := exec.Command("docker", "ps", "-aq", "-f", "name=^/"+containerName+"$") + // Set DOCKER_API_VERSION for compatibility with older Docker daemons + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") out, err := cmd.CombinedOutput() if err != nil { fmt.Printf("cmd.Run() [%s %s] failed with %s\n", cmd.Path, cmd.Args, err) @@ -57,6 +61,8 @@ func ExecOnContainer(containerName string, args []string) ([]byte, error) { arguments := []string{"exec", containerName} arguments = append(arguments, args...) cmd := exec.Command("docker", arguments...) + // Set DOCKER_API_VERSION for compatibility with older Docker daemons + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") out, err := cmd.CombinedOutput() if err != nil { return nil, errors.Wrapf(err, "Unable to execute command %v on [%s] container [%s]", arguments, containerName, out) @@ -82,6 +88,8 @@ func StopContainer(containerName string) { cmd := exec.Command("docker", "stop", containerName) cmd.Stdout = ginkgo.GinkgoWriter cmd.Stderr = ginkgo.GinkgoWriter + // Set DOCKER_API_VERSION for compatibility with older Docker daemons + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") err := cmd.Run() if err != nil { // We have seen this trip, even when the container is successfully stopped @@ -93,7 +101,10 @@ func StopContainer(containerName string) { // successful or fail after a small number of retries func WaitUntilContainerRemoved(containerName string) error { return retry.Do(func() error { - inspectErr := exec.Command("docker", "inspect", containerName).Run() + cmd := exec.Command("docker", "inspect", containerName) + // Set DOCKER_API_VERSION for compatibility with older Docker daemons + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") + inspectErr := cmd.Run() if inspectErr == nil { // If there is no error, it means the container still exists, so we want to retry return errors.Errorf("container %s still exists", containerName) diff --git a/test/services/envoy/instance.go b/test/services/envoy/instance.go index b8c729a6528..6c6c5e3fcb4 100644 --- a/test/services/envoy/instance.go +++ b/test/services/envoy/instance.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "net" + "os" "os/exec" "github.com/solo-io/go-utils/threadsafe" @@ -298,6 +299,8 @@ func (ei *Instance) Logs() (string, error) { if ei.UseDocker { logsArgs := []string{"logs", ei.DockerContainerName} cmd := exec.Command("docker", logsArgs...) + // Set DOCKER_API_VERSION for compatibility with older Docker daemons + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") byt, err := cmd.CombinedOutput() if err != nil { return "", errors.Wrap(err, "Unable to fetch logs from envoy container") diff --git a/test/services/utils/download.go b/test/services/utils/download.go index 8144e1401f8..69fac6b28ce 100644 --- a/test/services/utils/download.go +++ b/test/services/utils/download.go @@ -85,6 +85,8 @@ var DockerDownload = func(tmpdir string, params GetBinaryParams) (string, error) // use bash to run a docker container and extract the binary file from the running container bash := fmt.Sprintf(` set -ex +# Set Docker API version to 1.41 for compatibility with older Docker daemons +export DOCKER_API_VERSION=1.41 CID=$(docker run -d %s /bin/sh -c exit) # just print the image sha for reproducibility @@ -107,6 +109,8 @@ docker rm -f $CID cmd.Dir = tmpdir cmd.Stdout = ginkgo.GinkgoWriter cmd.Stderr = ginkgo.GinkgoWriter + // Set DOCKER_API_VERSION environment variable for compatibility + cmd.Env = append(os.Environ(), "DOCKER_API_VERSION=1.41") if err := cmd.Run(); err != nil { return "", err }