README
¶
K8S helpers
HBone package integrates with K8S - it supports K8S Token auth, mainly to authenticate to Istiod or other services requiring JWT auth. It can also auto-configure by using a config map.
To keep minimal dependencies this uses the K8S REST API directly.
Documentation
¶
Index ¶
- Constants
- func AddKubeConfigClusters(uk *hbone.HBone, kc *KubeConfig) (*hbone.Cluster, map[string]*hbone.Cluster, error)
- func GKEClusterName(id string) (projectID, location, name string)
- func GetConfigMap(ctx context.Context, uK8S *hbone.Cluster, ns string, name string) (map[string]string, error)
- func GetSecret(ctx context.Context, uk8s *hbone.Cluster, ns string, name string) (map[string][]byte, error)
- func GetTokenRaw(ctx context.Context, uK8S *hbone.Cluster, ns, name, aud string) (string, error)
- func InitK8S(ctx context.Context, hb *hbone.HBone) (*hbone.Cluster, error)
- func ListRequest(ctx context.Context, uk8s *hbone.Cluster, ns, kind string) *http.Request
- func Request(ctx context.Context, uk8s *hbone.Cluster, ns, kind, name string, ...) *http.Request
- func WatchRequest(ctx context.Context, uk8s *hbone.Cluster, ns, kind, name string) *http.Request
- type AddressType
- type Condition
- type ConditionStatus
- type ConfigMap
- type Context
- type CreateTokenRequest
- type CreateTokenRequestSpec
- type CreateTokenResponse
- type CreateTokenResponseStatus
- type Gateway
- type GatewayAddress
- type GatewayAllowType
- type GatewayConditionReason
- type GatewayConditionType
- type GatewayReference
- type GatewaySpec
- type GatewayStatus
- type GatewayTLSConfig
- type HTTPHeaderMatch
- type HTTPPathMatch
- type HTTPRequestHeaderFilter
- type HTTPRequestMirrorFilter
- type HTTPRoute
- type HTTPRouteFilter
- type HTTPRouteFilterType
- type HTTPRouteForwardTo
- type HTTPRouteList
- type HTTPRouteMatch
- type HTTPRouteRule
- type HTTPRouteSpec
- type HTTPRouteStatus
- type HeaderMatchType
- type Hostname
- type IstioGateway
- type IstioGatewayCR
- type K8STokenSource
- type KubeCluster
- type KubeConfig
- type KubeNamedCluster
- type KubeNamedContext
- type KubeNamedUser
- type KubeUser
- type LabelSelector
- type LabelSelectorOperator
- type LabelSelectorRequirement
- type ListMeta
- type Listener
- type ListenerConditionReason
- type ListenerConditionType
- type ListenerStatus
- type LocalObjectReference
- type ObjectMeta
- type PathMatchType
- type Port
- type PortNumber
- type ProtocolType
- type RouteBindingSelector
- type RouteForwardTo
- type RouteGatewayStatus
- type RouteGateways
- type RouteNamespaces
- type RouteSelectType
- type RouteStatus
- type RouteTLSConfig
- type Secret
- type Server
- type ServerTLSSettings
- type TCPRoute
- type TCPRouteList
- type TCPRouteMatch
- type TCPRouteRule
- type TCPRouteSpec
- type TCPRouteStatus
- type TLSModeType
- type TLSOverridePolicy
- type TLSRouteOverrideType
- type Time
- type TypeMeta
- type UID
- type UserAuthProvider
Constants ¶
View Source
const ( // GatewayConditionScheduled indicates whether the controller // managing the Gateway has scheduled the Gateway to the // underlying network infrastructure. // // Possible reasons for this condition to be false are: // // * "NotReconciled" // * "NoSuchGatewayClass" // * "NoResources" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve // interoperability. GatewayConditionScheduled GatewayConditionType = "Scheduled" // GatewayReasonNotReconciled is used when the Gateway is // not scheduled because it recently been created and no // controller has reconciled it yet. GatewayReasonNotReconciled GatewayConditionReason = "NotReconciled" // GatewayReasonNoSuchGatewayClass is used when the Gateway is // not scheduled because there is no controller that recognizes // the GatewayClassName. This reason should only be set by // a controller that has cluster-wide visibility of all the // installed GatewayClasses. GatewayReasonNoSuchGatewayClass GatewayConditionReason = "NoSuchGatewayClass" // GatewayReasonNoResources is used when the Gateway is // not scheduled because no infrastructure resources are // available for this Gateway. GatewayReasonNoResources GatewayConditionReason = "NoResources" )
View Source
const ( // GatewayConditionReady indicates whether the Gateway is able // to serve traffic. Note that this does not indicate that the // Gateway configuration is current or even complete (e.g. the // controller may still not have reconciled the latest version, // or some parts of the configuration could be missing). // // If both the "ListenersNotValid" and "ListenersNotReady" // reasons are true, the Gateway controller should prefer the // "ListenersNotValid" reason. // // Possible reasons for this condition to be false are: // // * "ListenersNotValid" // * "ListenersNotReady" // * "AddressNotAssigned" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve // interoperability.` GatewayConditionReady GatewayConditionType = "Ready" // GatewayReasonListenersNotValid is used when one or more // Listeners have an invalid or unsupported configuration // and cannot be configured on the Gateway. GatewayReasonListenersNotValid GatewayConditionReason = "ListenersNotValid" // GatewayReasonListenersNotReady is used when one or more // Listeners are not ready to serve traffic. GatewayReasonListenersNotReady GatewayConditionReason = "ListenersNotReady" // GatewayReasonAddressNotAssigned is used when the requested // address has not been assigned to the Gateway. This reason // can be used to express a range of circumstances, including // (but not limited to) IPAM address exhaustion, invalid // or unsupported address requests, or a named address not // being found. GatewayReasonAddressNotAssigned GatewayConditionReason = "AddressNotAssigned" )
View Source
const ( // ListenerConditionConflicted indicates that the controller // was unable to resolve conflicting specification requirements // for this Listener. If a Listener is conflicted, its network // port should not be configured on any network elements. // // Possible reasons for this condition to be true are: // // * "HostnameConflict" // * "ProtocolConflict" // * "RouteConflict" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve // interoperability. ListenerConditionConflicted ListenerConditionType = "Conflicted" // ListenerReasonHostnameConflict is used when the Listener conflicts with // hostnames in other Listeners. For example, this reason would be used when // multiple Listeners on the same port use "*" in the hostname field. ListenerReasonHostnameConflict ListenerConditionReason = "HostnameConflict" // ListenerReasonProtocolConflict is used when multiple // Listeners are specified with the same Listener port number, // but have conflicting protocol specifications. ListenerReasonProtocolConflict ListenerConditionReason = "ProtocolConflict" // ListenerReasonRouteConflict is used when the route // resources selected for this Listener conflict with other // specified properties of the Listener (e.g. Protocol). // For example, a Listener that specifies "UDP" as the protocol // but a route selector that resolves "TCPRoute" objects. ListenerReasonRouteConflict ListenerConditionReason = "RouteConflict" )
View Source
const ( // ListenerConditionDetached indicates that, even though // the listener is syntactically and semantically valid, the // controller is not able to configure it on the underlying // Gateway infrastructure. // // A Listener is specified as a logical requirement, but needs to be // configured on a network endpoint (i.e. address and port) by a // controller. The controller may be unable to attach the Listener // if it specifies an unsupported requirement, or prerequisite // resources are not available. // // Possible reasons for this condition to be true are: // // * "PortUnavailable" // * "UnsupportedExtension" // * "UnsupportedProtocol" // * "UnsupportedAddress" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve // interoperability. ListenerConditionDetached ListenerConditionType = "Detached" // requests a port that cannot be used on the Gateway. ListenerReasonPortUnavailable ListenerConditionReason = "PortUnavailable" // ListenerReasonUnsupportedExtension is used when the // controller detects that an implementation-specific Listener // extension is being requested, but is not able to support // the extension. ListenerReasonUnsupportedExtension ListenerConditionReason = "UnsupportedExtension" // ListenerReasonUnsupportedProtocol is used when the // Listener could not be attached to be Gateway because its // protocol type is not supported. ListenerReasonUnsupportedProtocol ListenerConditionReason = "UnsupportedProtocol" // ListenerReasonUnsupportedAddress is used when the Listener // could not be attached to the Gateway because the requested // address is not supported. ListenerReasonUnsupportedAddress ListenerConditionReason = "UnsupportedAddress" )
View Source
const ( // ListenerConditionResolvedRefs indicates whether the // controller was able to resolve all the object references // for the Listener. // // Possible reasons for this condition to be false are: // // * "DegradedRoutes" // * "InvalidCertificateRef" // * "InvalidRoutesRef" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve // interoperability. ListenerConditionResolvedRefs ListenerConditionType = "ResolvedRefs" // ListenerReasonDegradedRoutes indicates that not all of the routes // selected by this Listener could be configured. The specific reason // for the degraded route should be indicated in the route's // .Status.Conditions field. ListenerReasonDegradedRoutes ListenerConditionReason = "DegradedRoutes" // ListenerReasonInvalidCertificateRef is used when the // Listener has a TLS configuration with a TLS CertificateRef // that is invalid or cannot be resolved. ListenerReasonInvalidCertificateRef ListenerConditionReason = "InvalidCertificateRef" // ListenerReasonInvalidRoutesRef is used when the Listener's Routes // selector or kind is invalid or cannot be resolved. Note that it is not // an error for this selector to not resolve any Routes, and the // "ResolvedRefs" status condition should not be raised in that case. ListenerReasonInvalidRoutesRef ListenerConditionReason = "InvalidRoutesRef" )
View Source
const ( // ListenerConditionReady indicates whether the Listener // has been configured on the Gateway. // // Possible reasons for this condition to be false are: // // * "Invalid" // * "Pending" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve // interoperability. ListenerConditionReady ListenerConditionType = "Ready" // ListenerReasonInvalid is used when the Listener is // syntactically or semantically invalid. ListenerReasonInvalid ListenerConditionReason = "Invalid" // ListenerReasonPending is used when the Listener is not // yet not online and ready to accept client traffic. ListenerReasonPending ListenerConditionReason = "Pending" )
Variables ¶
This section is empty.
Functions ¶
func AddKubeConfigClusters ¶
func AddKubeConfigClusters(uk *hbone.HBone, kc *KubeConfig) (*hbone.Cluster, map[string]*hbone.Cluster, error)
AddKubeConfigClusters extracts supported RestClusters from the kube config, returns the default and the list of clusters by location. GKE naming conventions are assumed for extracting the location.
URest is used to configure TokenProvider and as factory for the http client. Returns the default client and the list of non-default clients.
func GKEClusterName ¶
func GetConfigMap ¶
func GetConfigMap(ctx context.Context, uK8S *hbone.Cluster, ns string, name string) (map[string]string, error)
Wrapper around ConfigMap - returns the data content. Returns an error if map can't be parsed or request fails.
func GetSecret ¶
func GetSecret(ctx context.Context, uk8s *hbone.Cluster, ns string, name string) (map[string][]byte, error)
Wrapper around Secret - returns the data content
func GetTokenRaw ¶
GetTokenRaw returns a K8S JWT with specified namespace, name and audience. Caller must have the RBAC permission to act as the name.ns.
Equivalent curl request:
token=$(echo '{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","spec":{"audiences":["istio-ca"], "expirationSeconds":2592000}}' | \
kubectl create --raw /api/v1/namespaces/default/serviceaccounts/default/token -f - | jq -j '.status.token')
func InitK8S ¶
InitK8S will detect k8s env, and if present will load the mesh defaults and init authenticators.
func ListRequest ¶
Types ¶
type AddressType ¶
type AddressType string
AddressType defines how a network address is represented as a text string. Valid AddressType values are:
* "IPAddress": an IPv4 or IPv6 address * "NamedAddress": an opaque identifier. The interpretation of the name is dependent on the controller. If a NamedAddress is requested but unsupported by an implementation, the controller should raise the "Detached" listener status condition on the Gateway with the "UnsupportedAddress" reason.
A NamedAddress might be a cloud-dependent WorkloadID for a "static" or "elastic" IP
+kubebuilder:validation:Enum=IPAddress;NamedAddress
const ( // IPAddressType a textual representation of a numeric IP // address. IPv4 addresses must be in dotted-decimal // form. IPv6 addresses must be in a standard IPv6 text // representation (see RFC 5952). // // If the requested address is unsupported, the controller // should raise the "Detached" listener status condition on // the Gateway with the "UnsupportedAddress" reason. // // Support: Extended. IPAddressType AddressType = "IPAddress" // NamedAddressType is an opaque identifier. The interpretation // of the name is dependent on the controller. If a NamedAddress is // requested but unsupported by an implementation, the controller // should raise the "Detached" listener status condition on the Gateway // with the "UnsupportedAddress" reason. // // Support: Implementation-specific. NamedAddressType AddressType = "NamedAddress" )
type Condition ¶
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type" protobuf:"bytes,1,opt,name=type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,3,opt,name=observedGeneration"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime Time `json:"lastTransitionTime" protobuf:"bytes,4,opt,name=lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason" protobuf:"bytes,5,opt,name=reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message" protobuf:"bytes,6,opt,name=message"`
}
type ConditionStatus ¶
type ConditionStatus string
const ( ConditionTrue ConditionStatus = "True" ConditionFalse ConditionStatus = "False" ConditionUnknown ConditionStatus = "Unknown" )
These are valid condition statuses. "ConditionTrue" means a resource is in the condition. "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes can't decide if a resource is in the condition or not. In the future, we could add other intermediate conditions, e.g. ConditionDegraded.
type Context ¶
type Context struct {
// Cluster is the name of the cluster for this context
Cluster string `json:"cluster"`
// AuthInfo is the name of the authInfo for this context
User string `json:"user"`
// Namespace is the default namespace to use on unspecified requests
// +optional
Namespace string `json:"namespace,omitempty"`
}
Context is a tuple of references to a cluster (how do I communicate with a kubernetes cluster), a user (how do I identify myself), and a namespace (what subset of resources do I want to work with)
type CreateTokenRequest ¶
type CreateTokenRequest struct {
Spec CreateTokenRequestSpec `json:"spec"`
}
type CreateTokenRequestSpec ¶
type CreateTokenRequestSpec struct {
Audiences []string `json:"audiences"`
}
type CreateTokenResponse ¶
type CreateTokenResponse struct {
Status CreateTokenResponseStatus `json:"status"`
}
type CreateTokenResponseStatus ¶
type CreateTokenResponseStatus struct {
Token string `json:"token"`
}
type Gateway ¶
type Gateway struct {
TypeMeta `json:",inline"`
ObjectMeta `json:"metadata,omitempty"`
Spec GatewaySpec `json:"spec,omitempty"`
// +kubebuilder:default={conditions: {{type: "Scheduled", status: "False", reason:"NotReconciled", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"}}}
Status GatewayStatus `json:"status,omitempty"`
}
type GatewayAddress ¶
type GatewayAddress struct {
// Type of the Address. This is either "IPAddress" or "NamedAddress".
//
// Support: Extended
//
// +kubebuilder:default=IPAddress
Type AddressType `json:"type,omitempty"`
// Value. Examples: "1.2.3.4", "128::1", "my-ip-address". Validity of the
// values will depend on `Type` and support by the controller.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Value string `json:"value"`
}
GatewayAddress describes an address that can be bound to a Gateway.
type GatewayAllowType ¶
type GatewayAllowType string
GatewayAllowType specifies which Gateways should be allowed to use a Route.
const ( // GatewayAllowAll indicates that all Gateways will be able to use this // route. GatewayAllowAll GatewayAllowType = "All" // GatewayAllowFromList indicates that only Gateways that have been // specified in GatewayRefs will be able to use this route. GatewayAllowFromList GatewayAllowType = "FromList" // GatewayAllowSameNamespace indicates that only Gateways within the same // namespace will be able to use this route. GatewayAllowSameNamespace GatewayAllowType = "SameNamespace" )
type GatewayConditionReason ¶
type GatewayConditionReason string
GatewayConditionReason defines the set of reasons that explain why a particular Gateway condition type has been raised.
type GatewayConditionType ¶
type GatewayConditionType string
GatewayConditionType is a type of condition associated with a Gateway. This type should be used with the GatewayStatus.Conditions field.
type GatewayReference ¶
type GatewayReference struct {
// Name is the name of the referent.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Name string `json:"name"`
// Namespace is the namespace of the referent.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Namespace string `json:"namespace"`
}
GatewayReference identifies a Gateway in a specified namespace.
type GatewaySpec ¶
type GatewaySpec struct {
// GatewayClassName used for this Gateway. This is the name of a
// GatewayClass resource.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
GatewayClassName string `json:"gatewayClassName"`
// Listeners associated with this Gateway. Listeners define
// logical endpoints that are bound on this Gateway's addresses.
// At least one Listener MUST be specified.
//
// An implementation MAY group Listeners by Port and then collapse each
// group of Listeners into a single Listener if the implementation
// determines that the Listeners in the group are "compatible". An
// implementation MAY also group together and collapse compatible
// Listeners belonging to different Gateways.
//
// For example, an implementation might consider Listeners to be
// compatible with each other if all of the following conditions are
// met:
//
// 1. Either each Listener within the group specifies the "HTTP"
// Protocol or each Listener within the group specifies either
// the "HTTPS" or "TLS" Protocol.
//
// 2. Each Listener within the group specifies a Hostname that is unique
// within the group.
//
// 3. As a special case, one Listener within a group may omit Hostname,
// in which case this Listener matches when no other Listener
// matches.
//
// If the implementation does collapse compatible Listeners, the
// hostname provided in the incoming client request MUST be
// matched to a Listener to find the correct set of Routes.
// The incoming hostname MUST be matched using the Hostname
// field for each Listener in order of most to least specific.
// That is, exact matches must be processed before wildcard
// matches.
//
// If this field specifies multiple Listeners that have the same
// Port value but are not compatible, the implementation must raise
// a "Conflicted" condition in the Listener status.
//
// Support: Core
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=64
Listeners []Listener `json:"listeners"`
// Addresses requested for this gateway. This is optional and
// behavior can depend on the GatewayClass. If a value is set
// in the spec and the requested address is invalid, the
// GatewayClass MUST indicate this in the associated entry in
// GatewayStatus.Addresses.
//
// If no Addresses are specified, the GatewayClass may
// schedule the Gateway in an implementation-defined manner,
// assigning an appropriate set of Addresses.
//
// The GatewayClass MUST bind all Listeners to every
// GatewayAddress that it assigns to the Gateway.
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MaxItems=16
Addresses []GatewayAddress `json:"addresses,omitempty"`
}
GatewaySpec defines the desired state of Gateway.
Not all possible combinations of options specified in the Spec are valid. Some invalid configurations can be caught synchronously via a webhook, but there are many cases that will require asynchronous signaling via the GatewayStatus block.
type GatewayStatus ¶
type GatewayStatus struct {
// Addresses lists the IP addresses that have actually been
// bound to the Gateway. These addresses may differ from the
// addresses in the Spec, e.g. if the Gateway automatically
// assigns an address from a reserved pool.
//
// These addresses should all be of type "IPAddress".
//
// +optional
// +kubebuilder:validation:MaxItems=16
Addresses []GatewayAddress `json:"addresses"`
// Conditions describe the current conditions of the Gateway.
//
// Implementations should prefer to express Gateway conditions
// using the `GatewayConditionType` and `GatewayConditionReason`
// constants so that operators and tools can converge on a common
// vocabulary to describe Gateway state.
//
// Known condition types are:
//
// * "Scheduled"
// * "Ready"
//
// +listType=map
// +listMapKey=type
// +kubebuilder:validation:MaxItems=8
// +kubebuilder:default={{type: "Scheduled", status: "False", reason:"NotReconciled", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"}}
Conditions []Condition `json:"conditions,omitempty"`
// Listeners provide status for each unique listener port defined in the Spec.
//
// +optional
// +listType=map
// +listMapKey=port
// +kubebuilder:validation:MaxItems=64
Listeners []ListenerStatus `json:"listeners,omitempty"`
}
GatewayStatus defines the observed state of Gateway.
type GatewayTLSConfig ¶
type GatewayTLSConfig struct {
// Mode defines the TLS behavior for the TLS session initiated by the client.
// There are two possible modes:
// - Terminate: The TLS session between the downstream client
// and the Gateway is terminated at the Gateway.
// - Passthrough: The TLS session is NOT terminated by the Gateway. This
// implies that the Gateway can't decipher the TLS stream except for
// the ClientHello message of the TLS protocol.
// CertificateRef field is ignored in this mode.
Mode TLSModeType `json:"mode,omitempty"`
// CertificateRef is the reference to Kubernetes object that
// contain a TLS certificate and private key.
// This certificate MUST be used for TLS handshakes for the domain
// this GatewayTLSConfig is associated with.
// If an entry in this list omits or specifies the empty
// string for both the group and the resource, the resource defaults to "secrets".
// An implementation may support other resources (for example, resource
// "mycertificates" in group "networking.acme.io").
// Support: Core (Kubernetes Secrets)
// Support: Implementation-specific (Other resource types)
//
// +optional
CertificateRef LocalObjectReference `json:"certificateRef,omitempty"`
// RouteOverride dictates if TLS settings can be configured
// via Routes or not.
//
// CertificateRef must be defined even if `routeOverride.certificate` is
// set to 'Allow' as it will be used as the default certificate for the
// listener.
//
// +kubebuilder:default={certificate:Deny}
RouteOverride TLSOverridePolicy `json:"routeOverride,omitempty"`
// Options are a list of key/value pairs to give extended options
// to the provider.
//
// There variation among providers as to how ciphersuites are
// expressed. If there is a common subset for expressing ciphers
// then it will make sense to loft that as a core API
// construct.
//
// Support: Implementation-specific.
//
// +optional
Options map[string]string `json:"options"`
}
GatewayTLSConfig describes a TLS configuration.
References - nginx: https://nginx.org/en/docs/http/configuring_https_servers.html - envoy: https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto - haproxy: https://www.haproxy.com/documentation/aloha/9-5/traffic-management/lb-layer7/tls/ - gcp: https://cloud.google.com/load-balancing/docs/use-ssl-policies#creating_an_ssl_policy_with_a_custom_profile - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112
type HTTPHeaderMatch ¶
type HTTPHeaderMatch struct {
// Type specifies how to match against the value of the header.
//
// Support: core (Exact)
// Support: custom (RegularExpression, ImplementationSpecific)
//
// Since RegularExpression PathType has custom conformance, implementations
// can support POSIX, PCRE or any other dialects of regular expressions.
// Please read the implementation's documentation to determine the supported
// dialect.
//
// HTTP Header name matching MUST be case-insensitive (RFC 2616 - section 4.2).
//
// +kubebuilder:default=Exact
Type HeaderMatchType `json:"type,omitempty"`
// Values is a map of HTTP Headers to be matched.
// It MUST contain at least one entry.
//
// The HTTP header field name to match is the map key, and the
// value of the HTTP header is the map value. HTTP header field name matching
// MUST be case-insensitive.
//
// Multiple match values are ANDed together, meaning, a request
// must match all the specified headers to select the route.
Values map[string]string `json:"values"`
}
HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.
type HTTPPathMatch ¶
type HTTPPathMatch struct {
// Type specifies how to match against the path Value.
//
// Support: core (Exact, Prefix)
// Support: custom (RegularExpression, ImplementationSpecific)
//
// Since RegularExpression PathType has custom conformance, implementations
// can support POSIX, PCRE or any other dialects of regular expressions.
// Please read the implementation's documentation to determine the supported
// dialect.
//
// +kubebuilder:default=Prefix
Type PathMatchType `json:"type,omitempty"`
// Value of the HTTP path to match against.
//
// +kubebuilder:validation:MinLength=1
Value string `json:"value"`
}
HTTPPathMatch describes how to select a HTTP route by matching the HTTP request path.
type HTTPRequestHeaderFilter ¶
type HTTPRequestHeaderFilter struct {
// Set overwrites the request with the given header (name, value)
// before the action.
//
// Input:
// GET /foo HTTP/1.1
// my-header: foo
//
// Config:
// set: {"my-header": "bar"}
//
// Output:
// GET /foo HTTP/1.1
// my-header: bar
//
// Support: Extended
// +optional
Set map[string]string `json:"set,omitempty"`
// Add adds the given header (name, value) to the request
// before the action. It appends to any existing values associated
// with the header name.
//
// Input:
// GET /foo HTTP/1.1
// my-header: foo
//
// Config:
// add: {"my-header": "bar"}
//
// Output:
// GET /foo HTTP/1.1
// my-header: foo
// my-header: bar
//
// Support: Extended
// +optional
Add map[string]string `json:"add,omitempty"`
// Remove the given header(s) from the HTTP request before the
// action. The value of RemoveHeader is a list of HTTP header
// names. Note that the header names are case-insensitive
// [RFC-2616 4.2].
//
// Input:
// GET /foo HTTP/1.1
// my-header1: foo
// my-header2: bar
// my-header3: baz
//
// Config:
// remove: ["my-header1", "my-header3"]
//
// Output:
// GET /foo HTTP/1.1
// my-header2: bar
//
// Support: Extended
// +optional
// +kubebuilder:validation:MaxItems=16
Remove []string `json:"remove,omitempty"`
}
HTTPRequestHeaderFilter defines configuration for the RequestHeaderModifier filter.
type HTTPRequestMirrorFilter ¶
type HTTPRequestMirrorFilter struct {
// ServiceName refers to the name of the Service to mirror matched requests
// to. When specified, this takes the place of BackendRef. If both
// BackendRef and ServiceName are specified, ServiceName will be given
// precedence.
//
// If the referent cannot be found, the rule is not included in the route.
// The controller should raise the "ResolvedRefs" condition on the Gateway
// with the "DegradedRoutes" reason. The gateway status for this route should
// be updated with a condition that describes the error more specifically.
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MaxLength=253
ServiceName *string `json:"serviceName,omitempty"`
// BackendRef is a local object reference to mirror matched requests to. If
// both BackendRef and ServiceName are specified, ServiceName will be given
// precedence.
//
// If the referent cannot be found, the rule is not included in the route.
// The controller should raise the "ResolvedRefs" condition on the Gateway
// with the "DegradedRoutes" reason. The gateway status for this route should
// be updated with a condition that describes the error more specifically.
//
// Support: Custom
//
// +optional
BackendRef *LocalObjectReference `json:"backendRef,omitempty"`
// Port specifies the destination port number to use for the
// backend referenced by the ServiceName or BackendRef field.
//
Port PortNumber `json:"port"`
}
HTTPRequestMirrorFilter defines configuration for the RequestMirror filter.
type HTTPRoute ¶
type HTTPRoute struct {
TypeMeta `json:",inline"`
ObjectMeta `json:"metadata,omitempty"`
Spec HTTPRouteSpec `json:"spec,omitempty"`
Status HTTPRouteStatus `json:"status,omitempty"`
}
HTTPRoute is the Schema for the HTTPRoute resource.
type HTTPRouteFilter ¶
type HTTPRouteFilter struct {
// Type identifies the type of filter to apply. As with other API fields,
// types are classified into three conformance levels:
//
// - Core: Filter types and their corresponding configuration defined by
// "Support: Core" in this package, e.g. "RequestHeaderModifier". All
// implementations must support core filters.
//
// - Extended: Filter types and their corresponding configuration defined by
// "Support: Extended" in this package, e.g. "RequestMirror". Implementers
// are encouraged to support extended filters.
//
// - Custom: Filters that are defined and supported by specific vendors.
// In the future, filters showing convergence in behavior across multiple
// implementations will be considered for inclusion in extended or core
// conformance levels. Filter-specific configuration for such filters
// is specified using the ExtensionRef field. `Type` should be set to
// "ExtensionRef" for custom filters.
//
// Implementers are encouraged to define custom implementation types to
// extend the core API with implementation-specific behavior.
//
// +unionDiscriminator
Type HTTPRouteFilterType `json:"type"`
// RequestHeaderModifier defines a schema for a filter that modifies request
// headers.
//
// Support: Core
//
// +optional
RequestHeaderModifier *HTTPRequestHeaderFilter `json:"requestHeaderModifier,omitempty"`
// RequestMirror defines a schema for a filter that mirrors requests.
//
// Support: Extended
//
// +optional
RequestMirror *HTTPRequestMirrorFilter `json:"requestMirror,omitempty"`
// ExtensionRef is an optional, implementation-specific extension to the
// "filter" behavior. For example, resource "myroutefilter" in group
// "networking.acme.io"). ExtensionRef MUST NOT be used for core and
// extended filters.
//
// Support: Implementation-specific
//
// +optional
ExtensionRef *LocalObjectReference `json:"extensionRef,omitempty"`
}
HTTPRouteFilter defines additional processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express additional processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. TODO(hbagdi): re-render CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 - https://github.com/kubernetes-sigs/controller-tools/issues/461 +union
type HTTPRouteFilterType ¶
type HTTPRouteFilterType string
HTTPRouteFilterType identifies a type of HTTPRoute filter. +kubebuilder:validation:Enum=RequestHeaderModifier;RequestMirror;ExtensionRef
const ( // HTTPRouteFilterRequestHeaderModifier can be used to add or remove an HTTP // header from an HTTP request before it is sent to the upstream target. // // Support in HTTPRouteRule: Core // Support in HTTPRouteForwardTo: Extended HTTPRouteFilterRequestHeaderModifier HTTPRouteFilterType = "RequestHeaderModifier" // HTTPRouteFilterRequestMirror can be used to mirror HTTP requests to a // different backend. The responses from this backend MUST be ignored by // the Gateway. // // Support in HTTPRouteRule: Extended // Support in HTTPRouteForwardTo: Extended HTTPRouteFilterRequestMirror HTTPRouteFilterType = "RequestMirror" // HTTPRouteFilterExtensionRef should be used for configuring custom // HTTP filters. // // Support in HTTPRouteRule: Custom // Support in HTTPRouteForwardTo: Custom HTTPRouteFilterExtensionRef HTTPRouteFilterType = "ExtensionRef" )
type HTTPRouteForwardTo ¶
type HTTPRouteForwardTo struct {
// ServiceName refers to the name of the Service to forward matched requests
// to. When specified, this takes the place of BackendRef. If both
// BackendRef and ServiceName are specified, ServiceName will be given
// precedence.
//
// If the referent cannot be found, the route must be dropped
// from the Gateway. The controller should raise the "ResolvedRefs"
// condition on the Gateway with the "DegradedRoutes" reason.
// The gateway status for this route should be updated with a
// condition that describes the error more specifically.
//
// The protocol to use should be specified with the AppProtocol field on Service
// resources. This field was introduced in Kubernetes 1.18. If using an earlier version
// of Kubernetes, a `networking.x-k8s.io/app-protocol` annotation on the
// BackendPolicy resource may be used to define the protocol. If the
// AppProtocol field is available, this annotation should not be used. The
// AppProtocol field, when populated, takes precedence over the annotation
// in the BackendPolicy resource. For custom backends, it is encouraged to
// add a semantically-equivalent field in the Custom Resource Definition.
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MaxLength=253
ServiceName *string `json:"serviceName,omitempty"`
// BackendRef is a reference to a backend to forward matched requests to. If
// both BackendRef and ServiceName are specified, ServiceName will be given
// precedence.
//
// If the referent cannot be found, the route must be dropped
// from the Gateway. The controller should raise the "ResolvedRefs"
// condition on the Gateway with the "DegradedRoutes" reason.
// The gateway status for this route should be updated with a
// condition that describes the error more specifically.
//
// Support: Custom
//
// +optional
BackendRef *LocalObjectReference `json:"backendRef,omitempty"`
// Port specifies the destination port number to use for the
// backend referenced by the ServiceName or BackendRef field.
//
// Support: Core
//
Port PortNumber `json:"port"`
// Weight specifies the proportion of HTTP requests forwarded to the backend
// referenced by the ServiceName or BackendRef field. This is computed as
// weight/(sum of all weights in this ForwardTo list). For non-zero values,
// there may be some epsilon from the exact proportion defined here
// depending on the precision an implementation supports. Weight is not a
// percentage and the sum of weights does not need to equal 100.
//
// If only one backend is specified and it has a weight greater than 0, 100%
// of the traffic is forwarded to that backend. If weight is set to 0, no
// traffic should be forwarded for this entry. If unspecified, weight
// defaults to 1.
//
// Support: Core
//
// +kubebuilder:default=1
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=1000000
Weight int32 `json:"weight,omitempty"`
// Filters defined at this-level should be executed if and only if the
// request is being forwarded to the backend defined here.
//
// Support: Custom (For broader support of filters, use the Filters field
// in HTTPRouteRule.)
//
// +optional
// +kubebuilder:validation:MaxItems=16
Filters []HTTPRouteFilter `json:"filters,omitempty"`
}
HTTPRouteForwardTo defines how a HTTPRoute should forward a request.
type HTTPRouteList ¶
type HTTPRouteList struct {
TypeMeta `json:",inline"`
ListMeta `json:"metadata,omitempty"`
Items []HTTPRoute `json:"items"`
}
HTTPRouteList contains a list of HTTPRoute
type HTTPRouteMatch ¶
type HTTPRouteMatch struct {
// Path specifies a HTTP request path matcher. If this field is not
// specified, a default prefix match on the "/" path is provided.
//
// +kubebuilder:default={type: "Prefix", value: "/"}
Path HTTPPathMatch `json:"path,omitempty"`
// Headers specifies a HTTP request header matcher.
//
// +optional
Headers *HTTPHeaderMatch `json:"headers"`
// ExtensionRef is an optional, implementation-specific extension to the
// "match" behavior. For example, resource "myroutematcher" in group
// "networking.acme.io". If the referent cannot be found, the rule is not
// included in the route. The controller should raise the "ResolvedRefs"
// condition on the Gateway with the "DegradedRoutes" reason. The gateway
// status for this route should be updated with a condition that describes
// the error more specifically.
//
// Support: custom
//
// +optional
ExtensionRef *LocalObjectReference `json:"extensionRef,omitempty"`
}
HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.
For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: "1"` header:
``` match:
path:
value: "/foo"
headers:
values:
version: "1"
```
type HTTPRouteRule ¶
type HTTPRouteRule struct {
// Matches define conditions used for matching the rule against
// incoming HTTP requests.
// Each match is independent, i.e. this rule will be matched
// if **any** one of the matches is satisfied.
//
// For example, take the following matches configuration:
//
// “`
// matches:
// - path:
// value: "/foo"
// headers:
// values:
// version: "2"
// - path:
// value: "/v2/foo"
// “`
//
// For a request to match against this rule, a request should satisfy
// EITHER of the two conditions:
//
// - path prefixed with `/foo` AND contains the header `version: "2"`
// - path prefix of `/v2/foo`
//
// See the documentation for HTTPRouteMatch on how to specify multiple
// match conditions that should be ANDed together.
//
// If no matches are specified, the default is a prefix
// path match on "/", which has the effect of matching every
// HTTP request.
//
//
// A client request may match multiple HTTP route rules. Matching precedence
// MUST be determined in order of the following criteria, continuing on ties:
// * The longest matching hostname.
// * The longest matching path.
// * The largest number of header matches
// * The oldest Route based on creation timestamp. For example, a Route with
// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
// a Route with a creation timestamp of "2020-09-08 01:02:04".
// * The Route appearing first in alphabetical order (namespace/name) for
// example, foo/bar is given precedence over foo/baz.
// +kubebuilder:default={{path:{ type: "Prefix", value: "/"}}}
// +kubebuilder:validation:MaxItems=8
Matches []HTTPRouteMatch `json:"matches,omitempty"`
// Filters define the filters that are applied to requests that match
// this rule.
//
// The effects of ordering of multiple behaviors are currently unspecified.
// This can change in the future based on feedback during the alpha stage.
//
// Conformance-levels at this level are defined based on the type of filter:
// - ALL core filters MUST be supported by all implementations.
// - Implementers are encouraged to support extended filters.
// - Implementation-specific custom filters have no API guarantees across
// implementations.
//
// Specifying a core filter multiple times has unspecified or custom conformance.
//
// Support: core
//
// +optional
// +kubebuilder:validation:MaxItems=16
Filters []HTTPRouteFilter `json:"filters,omitempty"`
// ForwardTo defines the backend(s) where matching requests should be sent.
// If unspecified, the rule performs no forwarding. If unspecified and no
// filters are specified that would result in a response being sent, a 503
// error code is returned.
//
// +optional
// +kubebuilder:validation:MaxItems=16
ForwardTo []HTTPRouteForwardTo `json:"forwardTo,omitempty"`
}
HTTPRouteRule defines semantics for matching an HTTP request based on conditions, optionally executing additional processing steps, and forwarding the request to an API object.
type HTTPRouteSpec ¶
type HTTPRouteSpec struct {
// Gateways defines which Gateways can use this Route.
// +kubebuilder:default={allow: "SameNamespace"}
Gateways RouteGateways `json:"gateways,omitempty"`
// Hostnames defines a set of hostname that should match against
// the HTTP Host header to select a HTTPRoute to process the request.
// Hostname is the fully qualified domain name of a network host,
// as defined by RFC 3986. Note the following deviations from the
// "host" part of the URI as defined in the RFC:
//
// 1. IPs are not allowed.
// 2. The `:` delimiter is not respected because ports are not allowed.
//
// Incoming requests are matched against the hostnames before the
// HTTPRoute rules. If no hostname is specified, traffic is routed
// based on the HTTPRouteRules.
//
// Hostname can be "precise" which is a domain name without the terminating
// dot of a network host (e.g. "foo.example.com") or "wildcard", which is
// a domain name prefixed with a single wildcard label (e.g. "*.example.com").
// The wildcard character '*' must appear by itself as the first DNS
// label and matches only a single label.
// You cannot have a wildcard label by itself (e.g. Host == "*").
// Requests will be matched against the Host field in the following order:
// 1. If Host is precise, the request matches this rule if
// the http host header is equal to Host.
// 2. If Host is a wildcard, then the request matches this rule if
// the http host header is to equal to the suffix
// (removing the first label) of the wildcard rule.
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MaxItems=16
Hostnames []Hostname `json:"hostnames,omitempty"`
// TLS defines the TLS certificate to use for Hostnames defined in this
// Route. This configuration only takes effect if the AllowRouteOverride
// field is set to true in the associated Gateway resource.
//
// Collisions can happen if multiple HTTPRoutes define a TLS certificate
// for the same hostname. In such a case, conflict resolution guiding
// principles apply, specificallly, if hostnames are same and two different
// certificates are specified then the certificate in the
// oldest resource wins.
//
// Please note that HTTP Route-selection takes place after the
// TLS Handshake (ClientHello). Due to this, TLS certificate defined
// here will take precedence even if the request has the potential to
// match multiple routes (in case multiple HTTPRoutes share the same
// hostname).
//
// Support: Core
//
// +optional
TLS *RouteTLSConfig `json:"tls,omitempty"`
// Rules are a list of HTTP matchers, filters and actions.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=16
Rules []HTTPRouteRule `json:"rules"`
}
HTTPRouteSpec defines the desired state of HTTPRoute
type HTTPRouteStatus ¶
type HTTPRouteStatus struct {
RouteStatus `json:",inline"`
}
HTTPRouteStatus defines the observed state of HTTPRoute.
type HeaderMatchType ¶
type HeaderMatchType string
HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values are:
* "Exact" * "RegularExpression" * "ImplementationSpecific"
+kubebuilder:validation:Enum=Exact;RegularExpression;ImplementationSpecific
const ( HeaderMatchExact HeaderMatchType = "Exact" HeaderMatchRegularExpression HeaderMatchType = "RegularExpression" HeaderMatchImplementationSpecific HeaderMatchType = "ImplementationSpecific" )
HeaderMatchType constants.
type Hostname ¶
type Hostname string
Hostname is used to specify a hostname that should be matched. +kubebuilder:validation:MinLength=1 +kubebuilder:validation:MaxLength=253
type IstioGateway ¶
type IstioGateway struct {
// A list of server specifications.
Servers []*Server `protobuf:"bytes,1,rep,name=servers,proto3" json:"servers,omitempty"`
// One or more labels that indicate a specific set of pods/VMs
// on which this gateway configuration should be applied.
// By default workloads are searched across all namespaces based on label selectors.
// This implies that a gateway resource in the namespace "foo" can select pods in
// the namespace "bar" based on labels.
// This behavior can be controlled via the `PILOT_SCOPE_GATEWAY_TO_NAMESPACE`
// environment variable in istiod. If this variable is set
// to true, the scope of label search is restricted to the configuration
// namespace in which the the resource is present. In other words, the Gateway
// resource must reside in the same namespace as the gateway workload
// instance.
// If selector is nil, the Gateway will be applied to all workloads.
Selector map[string]string `` /* 157-byte string literal not displayed */
}
type IstioGatewayCR ¶
type IstioGatewayCR struct {
TypeMeta `json:",inline"`
// +optional
ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Spec defines the implementation of this definition.
// +optional
Spec IstioGateway `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.
<!-- crd generation tags +cue-gen:Gateway:groupName:networking.istio.io +cue-gen:Gateway:version:v1beta1 +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio +cue-gen:Gateway:subresource:status +cue-gen:Gateway:scope:Namespaced +cue-gen:Gateway:resource:categories=istio-io,networking-istio-io,shortNames=gw +cue-gen:Gateway:preserveUnknownFields:false -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=networking.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
type K8STokenSource ¶
type K8STokenSource struct {
Cluster *hbone.Cluster
// Namespace and KSA - the 'cluster' credentials must have the RBAC permissions.
Namespace, KSA string
// Force this audience instead of derived from request URI.
AudOverride string
}
K8STokenSource returns K8S JWTs via "/token" requests. TODO: or file-mounted secrets
func NewK8STokenSource ¶
func NewK8STokenSource() *K8STokenSource
type KubeCluster ¶
type KubeCluster struct {
// LocationOfOrigin indicates where this object came from. It is used for round tripping config post-merge, but never serialized.
// +k8s:conversion-gen=false
//LocationOfOrigin string
// Server is the address of the kubernetes cluster (https://hostname:port).
Server string `json:"server"`
// InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.
// +optional
InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify,omitempty"`
// CertificateAuthority is the path to a cert file for the certificate authority.
// +optional
CertificateAuthority string `json:"certificate-authority,omitempty" yaml:"certificate-authority"`
// CertificateAuthorityData contains PEM-encoded certificate authority certificates. Overrides CertificateAuthority
// +optional
CertificateAuthorityData string `json:"certificate-authority-data,omitempty" yaml:"certificate-authority-data"`
}
type KubeConfig ¶
type KubeConfig struct {
// Must be v1
ApiVersion string `json:"apiVersion"`
// Must be Config
Kind string `json:"kind"`
// Clusters is a map of referencable names to cluster configs
Clusters []KubeNamedCluster `json:"clusters"`
// AuthInfos is a map of referencable names to user configs
Users []KubeNamedUser `json:"users"`
// Contexts is a map of referencable names to context configs
Contexts []KubeNamedContext `json:"contexts"`
// CurrentContext is the name of the context that you would like to use by default
CurrentContext string `json:"current-context" yaml:"current-context"`
}
KubeConfig is the JSON representation of the kube config. The format supports most of the things we need and also allows connection to real k8s clusters. UGate implements a very light subset - should be sufficient to connect to K8S, but without any generated stubs. Based in part on https://github.com/ericchiang/k8s (abandoned), which is a light client.
type KubeNamedCluster ¶
type KubeNamedCluster struct {
Name string `json:"name"`
Cluster KubeCluster `json:"cluster"`
}
type KubeNamedContext ¶
type KubeNamedUser ¶
type KubeUser ¶
type KubeUser struct {
// LocationOfOrigin indicates where this object came from. It is used for round tripping config post-merge, but never serialized.
// +k8s:conversion-gen=false
//LocationOfOrigin string
// ClientCertificate is the path to a client cert file for TLS.
// +optional
ClientCertificate string `json:"client-certificate,omitempty"`
// ClientCertificateData contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate
// +optional
ClientCertificateData []byte `json:"client-certificate-data,omitempty"`
// ClientKey is the path to a client key file for TLS.
// +optional
ClientKey string `json:"client-key,omitempty"`
// ClientKeyData contains PEM-encoded data from a client key file for TLS. Overrides ClientKey
// +optional
ClientKeyData []byte `json:"client-key-data,omitempty"`
// Token is the bearer token for authentication to the kubernetes cluster.
// +optional
Token string `json:"token,omitempty"`
// TokenFile is a pointer to a file that contains a bearer token (as described above). If both Token and TokenFile are present, Token takes precedence.
// +optional
TokenFile string `json:"tokenFile,omitempty"`
// Impersonate is the username to act-as.
// +optional
//Impersonate string `json:"act-as,omitempty"`
// ImpersonateGroups is the groups to imperonate.
// +optional
//ImpersonateGroups []string `json:"act-as-groups,omitempty"`
// ImpersonateUserExtra contains additional information for impersonated user.
// +optional
//ImpersonateUserExtra map[string][]string `json:"act-as-user-extra,omitempty"`
// Username is the username for basic authentication to the kubernetes cluster.
// +optional
Username string `json:"username,omitempty"`
// Password is the password for basic authentication to the kubernetes cluster.
// +optional
Password string `json:"password,omitempty"`
// AuthProvider specifies a custom authentication plugin for the kubernetes cluster.
// +optional
AuthProvider UserAuthProvider `json:"auth-provider,omitempty" yaml:"auth-provider,omitempty"`
}
KubeUser contains information that describes identity information. This is use to tell the kubernetes cluster who you are.
type LabelSelector ¶
type LabelSelector struct {
// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
// map is equivalent to an element of matchExpressions, whose key field is "key", the
// operator is "In", and the values array contains only "value". The requirements are ANDed.
// +optional
MatchLabels map[string]string `json:"matchLabels,omitempty" protobuf:"bytes,1,rep,name=matchLabels"`
// matchExpressions is a list of label selector requirements. The requirements are ANDed.
// +optional
MatchExpressions []LabelSelectorRequirement `json:"matchExpressions,omitempty" protobuf:"bytes,2,rep,name=matchExpressions"`
}
type LabelSelectorOperator ¶
type LabelSelectorOperator string
A label selector operator is the set of operators that can be used in a selector requirement.
const ( LabelSelectorOpIn LabelSelectorOperator = "In" LabelSelectorOpNotIn LabelSelectorOperator = "NotIn" LabelSelectorOpExists LabelSelectorOperator = "Exists" LabelSelectorOpDoesNotExist LabelSelectorOperator = "DoesNotExist" )
type LabelSelectorRequirement ¶
type LabelSelectorRequirement struct {
// key is the label key that the selector applies to.
// +patchMergeKey=key
// +patchStrategy=merge
Key string `json:"key" patchStrategy:"merge" patchMergeKey:"key" protobuf:"bytes,1,opt,name=key"`
// operator represents a key's relationship to a set of values.
// Valid operators are In, NotIn, Exists and DoesNotExist.
Operator LabelSelectorOperator `json:"operator" protobuf:"bytes,2,opt,name=operator,casttype=LabelSelectorOperator"`
// values is an array of string values. If the operator is In or NotIn,
// the values array must be non-empty. If the operator is Exists or DoesNotExist,
// the values array must be empty. This array is replaced during a strategic
// merge patch.
// +optional
Values []string `json:"values,omitempty" protobuf:"bytes,3,rep,name=values"`
}
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
type ListMeta ¶
type ListMeta struct {
// selfLink is a URL representing this object.
// Populated by the system.
// Read-only.
//
// DEPRECATED
// Kubernetes will stop propagating this field in 1.20 release and the field is planned
// to be removed in 1.21 release.
// +optional
SelfLink string `json:"selfLink,omitempty" protobuf:"bytes,1,opt,name=selfLink"`
// String that identifies the server's internal version of this object that
// can be used by clients to determine when objects have changed.
// Value must be treated as opaque by clients and passed unmodified back to the server.
// Populated by the system.
// Read-only.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
// +optional
ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,2,opt,name=resourceVersion"`
// continue may be set if the user set a limit on the number of items returned, and indicates that
// the server has more data available. The value is opaque and may be used to issue another request
// to the endpoint that served this list to retrieve the next set of available objects. Continuing a
// consistent list may not be possible if the server configuration has changed or more than a few
// minutes have passed. The resourceVersion field returned when using this continue value will be
// identical to the value in the first response, unless you have received this token from an error
// message.
Continue string `json:"continue,omitempty" protobuf:"bytes,3,opt,name=continue"`
// remainingItemCount is the number of subsequent items in the list which are not included in this
// list response. If the list request contained label or field selectors, then the number of
// remaining items is unknown and the field will be left unset and omitted during serialization.
// If the list is complete (either because it is not chunking or because this is the last chunk),
// then there are no more remaining items and this field will be left unset and omitted during
// serialization.
// Servers older than v1.15 do not set this field.
// The intended use of the remainingItemCount is *estimating* the size of a collection. Clients
// should not rely on the remainingItemCount to be set or to be exact.
// +optional
RemainingItemCount *int64 `json:"remainingItemCount,omitempty" protobuf:"bytes,4,opt,name=remainingItemCount"`
}
ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
type Listener ¶
type Listener struct {
// Hostname specifies the virtual hostname to match for protocol types that
// define this concept. When unspecified or "*", all hostnames are matched.
// This field can be omitted for protocols that don't require hostname based
// matching.
//
// Hostname is the fully qualified domain name of a network host, as defined
// by RFC 3986. Note the following deviations from the "host" part of the
// URI as defined in the RFC:
//
// 1. IP literals are not allowed.
// 2. The `:` delimiter is not respected because ports are not allowed.
//
// Hostname can be "precise" which is a domain name without the terminating
// dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
// domain name prefixed with a single wildcard label (e.g. "*.example.com").
// The wildcard character '*' must appear by itself as the first DNS label
// and matches only a single label.
//
// Support: Core
//
// +optional
Hostname *Hostname `json:"hostname,omitempty"`
// Port is the network port. Multiple listeners may use the
// same port, subject to the Listener compatibility rules.
//
// Support: Core
Port PortNumber `json:"port"`
// Protocol specifies the network protocol this listener expects to receive.
// The GatewayClass MUST apply the Hostname match appropriately for each
// protocol:
//
// * For the "TLS" protocol, the Hostname match MUST be
// applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3)
// server name offered by the client.
// * For the "HTTP" protocol, the Hostname match MUST be
// applied to the host portion of the
// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
// * For the "HTTPS" protocol, the Hostname match MUST be
// applied at both the TLS and HTTP protocol layers.
//
// Support: Core
Protocol ProtocolType `json:"protocol"`
// TLS is the TLS configuration for the Listener. This field
// is required if the Protocol field is "HTTPS" or "TLS" and
// ignored otherwise.
//
// The association of SNIs to Certificate defined in GatewayTLSConfig is
// defined based on the Hostname field for this listener.
//
// The GatewayClass MUST use the longest matching SNI out of all
// available certificates for any TLS handshake.
//
// Support: Core
//
// +optional
TLS *GatewayTLSConfig `json:"tls,omitempty"`
// Routes specifies a schema for associating routes with the
// Listener using selectors. A Route is a resource capable of
// servicing a request and allows a cluster operator to expose
// a cluster resource (i.e. Service) by externally-reachable
// URL, load-balance traffic and terminate SSL/TLS. Typically,
// a route is a "HTTPRoute" or "TCPRoute" in group
// "networking.x-k8s.io", however, an implementation may support
// other types of resources.
//
// The Routes selector MUST select a set of objects that
// are compatible with the application protocol specified in
// the Protocol field.
//
// Although a client request may technically match multiple route rules,
// only one rule may ultimately receive the request. Matching precedence
// MUST be determined in order of the following criteria:
//
// * The most specific match. For example, the most specific HTTPRoute match
// is determined by the longest matching combination of hostname and path.
// * The oldest Route based on creation timestamp. For example, a Route with
// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
// a Route with a creation timestamp of "2020-09-08 01:02:04".
// * If everything else is equivalent, the Route appearing first in
// alphabetical order (namespace/name) should be given precedence. For
// example, foo/bar is given precedence over foo/baz.
//
// All valid portions of a Route selected by this field should be supported.
// Invalid portions of a Route can be ignored (sometimes that will mean the
// full Route). If a portion of a Route transitions from valid to invalid,
// support for that portion of the Route should be dropped to ensure
// consistency. For example, even if a filter specified by a Route is
// invalid, the rest of the Route should still be supported.
//
// Support: Core
Routes RouteBindingSelector `json:"routes"`
}
Listener embodies the concept of a logical endpoint where a Gateway can accept network connections. Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. This will be enforced by a validating webhook.
type ListenerConditionReason ¶
type ListenerConditionReason string
ListenerConditionReason defines the set of reasons that explain why a particular Listener condition type has been raised.
type ListenerConditionType ¶
type ListenerConditionType string
ListenerConditionType is a type of condition associated with the listener. This type should be used with the ListenerStatus.Conditions field.
type ListenerStatus ¶
type ListenerStatus struct {
// Port is the unique Listener port value for which this message is
// reporting the status.
Port PortNumber `json:"port"`
// Protocol is the Listener protocol value for which this message is
// reporting the status.
Protocol ProtocolType `json:"protocol"`
// Hostname is the Listener hostname value for which this message is
// reporting the status.
// +optional
Hostname *Hostname `json:"hostname,omitempty"`
// Conditions describe the current condition of this listener.
//
// +listType=map
// +listMapKey=type
// +kubebuilder:validation:MaxItems=8
Conditions []Condition `json:"conditions"`
}
ListenerStatus is the status associated with a Listener.
type LocalObjectReference ¶
type LocalObjectReference struct {
// Group is the group of the referent.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Group string `json:"group"`
// Kind is kind of the referent.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Kind string `json:"kind"`
// Name is the name of the referent.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Name string `json:"name"`
}
LocalObjectReference identifies an API object within a known namespace.
type ObjectMeta ¶
type ObjectMeta struct {
// Name must be unique within a namespace. Is required when creating resources, although
// some resources may allow a client to request the generation of an appropriate name
// automatically. Name is primarily intended for creation idempotence and configuration
// definition.
// Cannot be updated.
// More info: http://kubernetes.io/docs/user-guide/identifiers#names
// +optional
Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
// Namespace defines the space within each name must be unique. An empty namespace is
// equivalent to the "default" namespace, but "default" is the canonical representation.
// Not all objects are required to be scoped to a namespace - the value of this field for
// those objects will be empty.
//
// Must be a DNS_LABEL.
// Cannot be updated.
// More info: http://kubernetes.io/docs/user-guide/namespaces
// +optional
Namespace string `json:"namespace,omitempty" protobuf:"bytes,3,opt,name=namespace"`
// UID is the unique in time and space value for this object. It is typically generated by
// the server on successful creation of a resource and is not allowed to change on PUT
// operations.
//
// Populated by the system.
// Read-only.
// More info: http://kubernetes.io/docs/user-guide/identifiers#uids
// +optional
UID UID `json:"uid,omitempty" protobuf:"bytes,5,opt,name=uid,casttype=k8s.io/kubernetes/pkg/types.UID"`
// An opaque value that represents the internal version of this object that can
// be used by clients to determine when objects have changed. May be used for optimistic
// concurrency, change detection, and the watch operation on a resource or set of resources.
// Clients must treat these values as opaque and passed unmodified back to the server.
// They may only be valid for a particular resource or set of resources.
//
// Populated by the system.
// Read-only.
// Value must be treated as opaque by clients and .
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
// +optional
ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,6,opt,name=resourceVersion"`
// A sequence number representing a specific generation of the desired state.
// Populated by the system. Read-only.
// +optional
Generation int64 `json:"generation,omitempty" protobuf:"varint,7,opt,name=generation"`
// CreationTimestamp is a timestamp representing the server time when this object was
// created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
//
// Populated by the system.
// Read-only.
// Null for lists.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
CreationTimestamp Time `json:"creationTimestamp,omitempty" protobuf:"bytes,8,opt,name=creationTimestamp"`
// DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
// field is set by the server when a graceful deletion is requested by the user, and is not
// directly settable by a client. The resource is expected to be deleted (no longer visible
// from resource lists, and not reachable by name) after the time in this field, once the
// finalizers list is empty. As long as the finalizers list contains items, deletion is blocked.
// Once the deletionTimestamp is set, this value may not be unset or be set further into the
// future, although it may be shortened or the resource may be deleted prior to this time.
// For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react
// by sending a graceful termination signal to the containers in the pod. After that 30 seconds,
// the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup,
// remove the pod from the API. In the presence of network partitions, this object may still
// exist after this timestamp, until an administrator or automated process can determine the
// resource is fully terminated.
// If not set, graceful deletion of the object has not been requested.
//
// Populated by the system when a graceful deletion is requested.
// Read-only.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
DeletionTimestamp *Time `json:"deletionTimestamp,omitempty" protobuf:"bytes,9,opt,name=deletionTimestamp"`
// Number of seconds allowed for this object to gracefully terminate before
// it will be removed from the system. Only set when deletionTimestamp is also set.
// May only be shortened.
// Read-only.
// +optional
DeletionGracePeriodSeconds *int64 `json:"deletionGracePeriodSeconds,omitempty" protobuf:"varint,10,opt,name=deletionGracePeriodSeconds"`
// Map of string keys and values that can be used to organize and categorize
// (scope and select) objects. May match selectors of replication controllers
// and services.
// More info: http://kubernetes.io/docs/user-guide/labels
// +optional
Labels map[string]string `json:"labels,omitempty" protobuf:"bytes,11,rep,name=labels"`
// Annotations is an unstructured key value map stored with a resource that may be
// set by external tools to store and retrieve arbitrary metadata. They are not
// queryable and should be preserved when modifying objects.
// More info: http://kubernetes.io/docs/user-guide/annotations
// +optional
Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,12,rep,name=annotations"`
// Must be empty before the object is deleted from the registry. Each entry
// is an identifier for the responsible component that will remove the entry
// from the list. If the deletionTimestamp of the object is non-nil, entries
// in this list can only be removed.
// Finalizers may be processed and removed in any order. Order is NOT enforced
// because it introduces significant risk of stuck finalizers.
// finalizers is a shared field, any actor with permission can reorder it.
// If the finalizer list is processed in order, then this can lead to a situation
// in which the component responsible for the first finalizer in the list is
// waiting for a signal (field value, external system, or other) produced by a
// component responsible for a finalizer later in the list, resulting in a deadlock.
// Without enforced ordering finalizers are free to order amongst themselves and
// are not vulnerable to ordering changes in the list.
// +optional
// +patchStrategy=merge
Finalizers []string `json:"finalizers,omitempty" patchStrategy:"merge" protobuf:"bytes,14,rep,name=finalizers"`
// The name of the cluster which the object belongs to.
// This is used to distinguish resources with same name and namespace in different clusters.
// This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
// +optional
ClusterName string `json:"clusterName,omitempty" protobuf:"bytes,15,opt,name=clusterName"`
}
ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
type PathMatchType ¶
type PathMatchType string
PathMatchType specifies the semantics of how HTTP paths should be compared. Valid PathMatchType values are:
* "Exact" * "Prefix" * "RegularExpression" * "ImplementationSpecific"
Prefix and Exact paths must be syntactically valid:
- Must begin with the '/' character
- Must not contain consecutive '/' characters (e.g. /foo///, //).
- For prefix paths, a trailing '/' character in the Path is ignored, e.g. /abc and /abc/ specify the same match.
+kubebuilder:validation:Enum=Exact;Prefix;RegularExpression;ImplementationSpecific
const ( PathMatchExact PathMatchType = "Exact" PathMatchPrefix PathMatchType = "Prefix" PathMatchRegularExpression PathMatchType = "RegularExpression" PathMatchImplementationSpecific PathMatchType = "ImplementationSpecific" )
PathMatchType constants.
type Port ¶
type Port struct {
// A valid non-negative integer port number.
Number uint32 `protobuf:"varint,1,opt,name=number,proto3" json:"number,omitempty"`
// The protocol exposed on the port.
// MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
// TLS implies the connection will be routed based on the SNI header to
// the destination without terminating the TLS connection.
Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"`
// Label assigned to the port.
Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
// The port number on the endpoint where the traffic will be
// received. Applicable only when used with ServiceEntries.
TargetPort uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
Port describes the properties of a specific port of a service.
type PortNumber ¶
type PortNumber int32
PortNumber defines a network port.
+kubebuilder:validation:Minimum=1 +kubebuilder:validation:Maximum=65535
type ProtocolType ¶
type ProtocolType string
ProtocolType defines the application protocol accepted by a Listener. Implementations are not required to accept all the defined protocols. If an implementation does not support a specified protocol, it should raise a "Detached" condition for the affected Listener with a reason of "UnsupportedProtocol".
Core ProtocolType values are:
* "HTTP" * "HTTPS" * "TLS" * "TCP" * "UDP"
Implementations can define their own protocols if a core ProtocolType does not exist. Such definitions must use prefixed name, such as `mycompany.com/my-custom-protocol`. Un-prefixed names are reserved for core protocols. Any protocol defined by implementations will fall under custom conformance.
const ( // HTTPProtocolType accepts cleartext HTTP/1.1 sessions over TCP. HTTPProtocolType ProtocolType = "HTTP" // HTTPSProtocolType accepts HTTP/1.1 or HTTP/2 sessions over TLS. HTTPSProtocolType ProtocolType = "HTTPS" // TLSProtocolType accepts TLS sessions over TCP. TLSProtocolType ProtocolType = "TLS" // TCPProtocolType accepts TCP sessions. TCPProtocolType ProtocolType = "TCP" // UDPProtocolType accepts UDP packets. UDPProtocolType ProtocolType = "UDP" )
type RouteBindingSelector ¶
type RouteBindingSelector struct {
// Namespaces indicates in which namespaces Routes should be selected
// for this Gateway. This is restricted to the namespace of this Gateway by
// default.
//
// Support: Core
// +kubebuilder:default={from: "Same"}
Namespaces *RouteNamespaces `json:"namespaces,omitempty"`
// Selector specifies a set of route labels used for selecting
// routes to associate with the Gateway. If this Selector is defined,
// only routes matching the Selector are associated with the Gateway.
// An empty Selector matches all routes.
//
// Support: Core
//
// +optional
Selector LabelSelector `json:"selector,omitempty"`
// Group is the group of the route resource to select. Omitting the value or specifying
// the empty string indicates the networking.x-k8s.io API group.
// For example, use the following to select an HTTPRoute:
//
// routes:
// kind: HTTPRoute
//
// Otherwise, if an alternative API group is desired, specify the desired
// group:
//
// routes:
// group: acme.io
// kind: FooRoute
//
// Support: Core
//
// +kubebuilder:default=networking.x-k8s.io
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Group string `json:"group,omitempty"`
// Kind is the kind of the route resource to select.
//
// Kind MUST correspond to kinds of routes that are compatible with the
// application protocol specified in the Listener's Protocol field.
//
// If an implementation does not support or recognize this
// resource type, it SHOULD set the "ResolvedRefs" condition to false for
// this listener with the "InvalidRoutesRef" reason.
//
// Support: Core
Kind string `json:"kind"`
}
RouteBindingSelector defines a schema for associating routes with the Gateway. If Namespaces and Selector are defined, only routes matching both selectors are associated with the Gateway.
type RouteForwardTo ¶
type RouteForwardTo struct {
// ServiceName refers to the name of the Service to forward matched requests
// to. When specified, this takes the place of BackendRef. If both
// BackendRef and ServiceName are specified, ServiceName will be given
// precedence.
//
// If the referent cannot be found, the rule is not included in the route.
// The controller should raise the "ResolvedRefs" condition on the Gateway
// with the "DegradedRoutes" reason. The gateway status for this route should
// be updated with a condition that describes the error more specifically.
//
// The protocol to use is defined using AppProtocol field (introduced in
// Kubernetes 1.18) in the Service resource. In the absence of the
// AppProtocol field a `networking.x-k8s.io/app-protocol` annotation on the
// BackendPolicy resource may be used to define the protocol. If the
// AppProtocol field is available, this annotation should not be used. The
// AppProtocol field, when populated, takes precedence over the annotation
// in the BackendPolicy resource. For custom backends, it is encouraged to
// add a semantically-equivalent field in the Custom Resource Definition.
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MaxLength=253
ServiceName *string `json:"serviceName,omitempty"`
// BackendRef is a reference to a backend to forward matched requests to. If
// both BackendRef and ServiceName are specified, ServiceName will be given
// precedence.
//
// If the referent cannot be found, the rule is not included in the route.
// The controller should raise the "ResolvedRefs" condition on the Gateway
// with the "DegradedRoutes" reason. The gateway status for this route should
// be updated with a condition that describes the error more specifically.
//
//
// Support: Custom
//
// +optional
BackendRef *LocalObjectReference `json:"backendRef,omitempty"`
// Port specifies the destination port number to use for the
// backend referenced by the ServiceName or BackendRef field.
//
// Support: Core
Port PortNumber `json:"port"`
// Weight specifies the proportion of HTTP requests forwarded to the backend
// referenced by the ServiceName or BackendRef field. This is computed as
// weight/(sum of all weights in this ForwardTo list). For non-zero values,
// there may be some epsilon from the exact proportion defined here
// depending on the precision an implementation supports. Weight is not a
// percentage and the sum of weights does not need to equal 100.
//
// If only one backend is specified and it has a weight greater than 0, 100%
// of the traffic is forwarded to that backend. If weight is set to 0, no
// traffic should be forwarded for this entry. If unspecified, weight
// defaults to 1.
//
// Support: Extended
//
// +kubebuilder:default=1
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=1000000
Weight int32 `json:"weight,omitempty"`
}
RouteForwardTo defines how a Route should forward a request.
type RouteGatewayStatus ¶
type RouteGatewayStatus struct {
// GatewayRef is a reference to a Gateway object that is associated with
// the route.
GatewayRef GatewayReference `json:"gatewayRef"`
// Conditions describes the status of the route with respect to the
// Gateway. For example, the "Admitted" condition indicates whether the
// route has been admitted or rejected by the Gateway, and why. Note
// that the route's availability is also subject to the Gateway's own
// status conditions and listener status.
//
// +listType=map
// +listMapKey=type
// +kubebuilder:validation:MaxItems=8
Conditions []Condition `json:"conditions,omitempty"`
}
RouteGatewayStatus describes the status of a route with respect to an associated Gateway.
type RouteGateways ¶
type RouteGateways struct {
// Allow indicates which Gateways will be allowed to use this route.
// Possible values are:
// * All: Gateways in any namespace can use this route.
// * FromList: Only Gateways specified in GatewayRefs may use this route.
// * SameNamespace: Only Gateways in the same namespace may use this route.
// +kubebuilder:validation:Enum=All;FromList;SameNamespace
// +kubebuilder:default=SameNamespace
Allow GatewayAllowType `json:"allow,omitempty"`
// GatewayRefs must be specified when Allow is set to "FromList". In that
// case, only Gateways referenced in this list will be allowed to use this
// route. This field is ignored for other values of "Allow".
// +optional
GatewayRefs []GatewayReference `json:"gatewayRefs,omitempty"`
}
RouteGateways defines which Gateways will be able to use a route. If this field results in preventing the selection of a Route by a Gateway, an "Admitted" condition with a status of false must be set for the Gateway on that Route.
type RouteNamespaces ¶
type RouteNamespaces struct {
// From indicates where Routes will be selected for this Gateway. Possible
// values are:
// * All: Routes in all namespaces may be used by this Gateway.
// * Selector: Routes in namespaces selected by the selector may be used by
// this Gateway.
// * Same: Only Routes in the same namespace may be used by this Gateway.
//
// Support: Core
From RouteSelectType `json:"from,omitempty"`
// Selector must be specified when From is set to "Selector". In that case,
// only Routes in Namespaces matching this Selector will be selected by this
// Gateway. This field is ignored for other values of "From".
//
// Support: Core
//
// +optional
Selector LabelSelector `json:"selector,omitempty"`
}
RouteNamespaces indicate which namespaces Routes should be selected from.
type RouteSelectType ¶
type RouteSelectType string
RouteSelectType specifies where Routes should be selected by a Gateway. +kubebuilder:validation:Enum=All;Selector;Same +kubebuilder:default=Same
const ( // RouteSelectAll indicates that Routes in all namespaces may be used by // this Gateway. RouteSelectAll RouteSelectType = "All" // RouteSelectSelector indicates that only Routes in namespaces selected by // the selector may be used by this Gateway. RouteSelectSelector RouteSelectType = "Selector" // RouteSelectSame indicates that Only Routes in the same namespace may be // used by this Gateway. RouteSelectSame RouteSelectType = "Same" )
type RouteStatus ¶
type RouteStatus struct {
// Gateways is a list of the Gateways that are associated with the
// route, and the status of the route with respect to each of these
// Gateways. When a Gateway selects this route, the controller that
// manages the Gateway should add an entry to this list when the
// controller first sees the route and should update the entry as
// appropriate when the route is modified.
//
// A maximum of 100 Gateways will be represented in this list. If this list
// is full, there may be additional Gateways using this Route that are not
// included in the list.
//
// +kubebuilder:validation:MaxItems=100
Gateways []RouteGatewayStatus `json:"gateways"`
}
RouteStatus defines the observed state that is required across all route types.
type RouteTLSConfig ¶
type RouteTLSConfig struct {
// CertificateRef refers to a Kubernetes object that
// contains a TLS certificate and private key.
// This certificate MUST be used for TLS handshakes for the domain
// this RouteTLSConfig is associated with.
// If an entry in this list omits or specifies the empty
// string for both the group and kind, the resource defaults to "secrets".
// An implementation may support other resources (for example, resource
// "mycertificates" in group "networking.acme.io").
// Support: Core (Kubernetes Secrets)
// Support: Implementation-specific (Other resource types)
//
// +required
CertificateRef LocalObjectReference `json:"certificateRef"`
}
RouteTLSConfig describes a TLS configuration defined at the Route level.
type Secret ¶
type Secret struct {
ObjectMeta
//ApiVersion string `json:"apiVersion"`
Data map[string][]byte `json:"data"`
}
type Server ¶
type Server struct {
// The Port on which the proxy should listen for incoming
// connections.
Port *Port `protobuf:"bytes,1,opt,name=port,proto3" json:"port,omitempty"`
// $hide_from_docs
// The ip or the Unix domain socket to which the listener should be bound
// to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar`
// (Linux abstract namespace). When using Unix domain sockets, the port
// number should be 0.
Bind string `protobuf:"bytes,4,opt,name=bind,proto3" json:"bind,omitempty"`
// One or more hosts exposed by this gateway.
// While typically applicable to
// HTTP services, it can also be used for TCP services using TLS with SNI.
// A host is specified as a `dnsName` with an optional `namespace/` prefix.
// The `dnsName` should be specified using FQDN format, optionally including
// a wildcard character in the left-most component (e.g.,
// `prod/*.example.com`). Set the `dnsName` to `*` to select all
// `VirtualService` hosts from the specified namespace (e.g.,`prod/*`).
//
// The `namespace` can be set to `*` or `.`, representing any or the current
// namespace, respectively. For example, `*/foo.example.com` selects the
// service from any available namespace while `./foo.example.com` only selects
// the service from the namespace of the sidecar. The default, if no
// `namespace/` is specified, is `*/`, that is, select services from any
// namespace. Any associated `DestinationRule` in the selected namespace will
// also be used.
//
// A `VirtualService` must be bound to the gateway and must have one or
// more hosts that match the hosts specified in a server. The match
// could be an exact match or a suffix match with the server's hosts. For
// example, if the server's hosts specifies `*.example.com`, a
// `VirtualService` with hosts `dev.example.com` or `prod.example.com` will
// match. However, a `VirtualService` with host `example.com` or
// `newexample.com` will not match.
//
// NOTE: Only virtual services exported to the gateway's namespace
// (e.g., `exportTo` value of `*`) can be referenced.
// Private configurations (e.g., `exportTo` set to `.`) will not be
// available. Refer to the `exportTo` setting in `VirtualService`,
// `DestinationRule`, and `ServiceEntry` configurations for details.
Hosts []string `protobuf:"bytes,2,rep,name=hosts,proto3" json:"hosts,omitempty"`
// Set of TLS related options that govern the server's behavior. Use
// these options to control if all http requests should be redirected to
// https, and the TLS modes to use.
Tls *ServerTLSSettings `protobuf:"bytes,3,opt,name=tls,proto3" json:"tls,omitempty"`
// The loopback IP endpoint or Unix domain socket to which traffic should
// be forwarded to by default. Format should be `127.0.0.1:PORT` or
// `unix:///path/to/socket` or `unix://@foobar` (Linux abstract namespace).
// NOT IMPLEMENTED.
// $hide_from_docs
DefaultEndpoint string `protobuf:"bytes,5,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
// An optional name of the server, when set must be unique across all servers.
// This will be used for variety of purposes like prefixing stats generated with
// this name etc.
Name string `protobuf:"bytes,6,opt,name=name,proto3" json:"name,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
type ServerTLSSettings ¶
type ServerTLSSettings struct {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
HttpsRedirect bool `protobuf:"varint,1,opt,name=https_redirect,json=httpsRedirect,proto3" json:"https_redirect,omitempty"`
// Optional: Indicates whether connections to this port should be
// secured using TLS. The value of this field determines how TLS is
// enforced.
Mode string `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.networking.v1beta1.ServerTLSSettings_TLSmode" json:"mode,omitempty"`
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server-side TLS certificate to use.
ServerCertificate string `protobuf:"bytes,3,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server's private key.
PrivateKey string `protobuf:"bytes,4,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
// REQUIRED if mode is `MUTUAL`. The path to a file containing
// certificate authority certificates to use in verifying a presented
// client side certificate.
CaCertificates string `protobuf:"bytes,5,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates. Applicable
// only on Kubernetes, and only if the dynamic credential fetching
// feature is enabled in the proxy by setting
// `ISTIO_META_USER_SDS` metadata variable. The secret (of type
// `generic`) should contain the following keys and values: `key:
// <privateKey>` and `cert: <serverCert>`. For mutual TLS,
// `cacert: <CACertificate>` can be provided in the same secret or
// a separate secret named `<secret>-cacert`.
// Secret of type tls for server certificates along with
// ca.crt key for CA certificates is also supported.
// Only one of server certificates and CA certificate
// or credentialName can be specified.
CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
SubjectAltNames []string `protobuf:"bytes,6,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
// An optional list of base64-encoded SHA-256 hashes of the SKPIs of
// authorized client certificates.
// Note: When both verify_certificate_hash and verify_certificate_spki
// are specified, a hash matching either value will result in the
// certificate being accepted.
VerifyCertificateSpki []string `` /* 127-byte string literal not displayed */
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates. Both simple and colon separated
// formats are acceptable.
// Note: When both verify_certificate_hash and verify_certificate_spki
// are specified, a hash matching either value will result in the
// certificate being accepted.
VerifyCertificateHash []string `` /* 127-byte string literal not displayed */
// Optional: Minimum TLS protocol version.
MinProtocolVersion string `` /* 178-byte string literal not displayed */
// Optional: Maximum TLS protocol version.
MaxProtocolVersion string `` /* 178-byte string literal not displayed */
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
type TCPRoute ¶
type TCPRoute struct {
TypeMeta `json:",inline"`
ObjectMeta `json:"metadata,omitempty"`
Spec TCPRouteSpec `json:"spec,omitempty"`
Status TCPRouteStatus `json:"status,omitempty"`
}
TCPRoute is the Schema for the TCPRoute resource.
type TCPRouteList ¶
type TCPRouteList struct {
TypeMeta `json:",inline"`
ListMeta `json:"metadata,omitempty"`
Items []TCPRoute `json:"items"`
}
TCPRouteList contains a list of TCPRoute
type TCPRouteMatch ¶
type TCPRouteMatch struct {
// ExtensionRef is an optional, implementation-specific extension to the
// "match" behavior. For example, resource "mytcproutematcher" in group
// "networking.acme.io". If the referent cannot be found, the rule is not
// included in the route. The controller should raise the "ResolvedRefs"
// condition on the Gateway with the "DegradedRoutes" reason. The gateway
// status for this route should be updated with a condition that describes
// the error more specifically.
//
// Support: custom
//
// +optional
ExtensionRef *LocalObjectReference `json:"extensionRef,omitempty"`
}
TCPRouteMatch defines the predicate used to match connections to a given action.
type TCPRouteRule ¶
type TCPRouteRule struct {
// Matches define conditions used for matching the rule against
// incoming TCP connections. Each match is independent, i.e. this
// rule will be matched if **any** one of the matches is satisfied.
// If unspecified, all requests from the associated gateway TCP
// listener will match.
//
// +optional
// +kubebuilder:validation:MaxItems=8
Matches []TCPRouteMatch `json:"matches,omitempty"`
// ForwardTo defines the backend(s) where matching requests should
// be sent.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=16
ForwardTo []RouteForwardTo `json:"forwardTo"`
}
TCPRouteRule is the configuration for a given rule.
type TCPRouteSpec ¶
type TCPRouteSpec struct {
// Rules are a list of TCP matchers and actions.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=16
Rules []TCPRouteRule `json:"rules"`
// Gateways defines which Gateways can use this Route.
//
// +kubebuilder:default={allow: "SameNamespace"}
Gateways RouteGateways `json:"gateways,omitempty"`
}
TCPRouteSpec defines the desired state of TCPRoute
type TCPRouteStatus ¶
type TCPRouteStatus struct {
RouteStatus `json:",inline"`
}
TCPRouteStatus defines the observed state of TCPRoute
type TLSModeType ¶
type TLSModeType string
TLSModeType type defines behavior of gateway with TLS protocol. +kubebuilder:validation:Enum=Terminate;Passthrough +kubebuilder:default=Terminate
const ( // TLSModeTerminate represents the Terminate mode. // In this mode, TLS session between the downstream client // and the Gateway is terminated at the Gateway. TLSModeTerminate TLSModeType = "Terminate" // TLSModePassthrough represents the Passthrough mode. // In this mode, the TLS session NOT terminated by the Gateway. This // implies that the Gateway can't decipher the TLS stream except for // the ClientHello message of the TLS protocol. TLSModePassthrough TLSModeType = "Passthrough" )
type TLSOverridePolicy ¶
type TLSOverridePolicy struct {
// Certificate dictates if TLS certificates can be configured
// via Routes. If set to 'Allow', a TLS certificate for a hostname
// defined in a Route takes precedence over the certificate defined in
// Gateway.
//
// Support: Core
//
// +kubebuilder:default=Deny
Certificate TLSRouteOverrideType `json:"certificate"`
}
TLSOverridePolicy defines a schema for overriding TLS settings at the Route level.
type TLSRouteOverrideType ¶
type TLSRouteOverrideType string
TLSRouteOverrideType type defines the level of allowance for Routes to override a specific TLS setting. +kubebuilder:validation:Enum=Allow;Deny +kubebuilder:default=Deny
const ( // TLSROuteOVerrideAllow allows the parameter to be configured from all routes. TLSROuteOVerrideAllow TLSRouteOverrideType = "Allow" // TLSRouteOverrideDeny prohibits the parameter to be configured from any route. TLSRouteOverrideDeny TLSRouteOverrideType = "Deny" )
type Time ¶
Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
+protobuf.options.marshal=false +protobuf.as=Timestamp +protobuf.options.(gogoproto.goproto_stringer)=false
func (Time) MarshalJSON ¶
MarshalJSON implements the json.Marshaler interface.
func (*Time) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaller interface.
type TypeMeta ¶
type TypeMeta struct {
// Kind is a string value representing the REST resource this object represents.
// Servers may infer this from the endpoint the client submits requests to.
// Cannot be updated.
// In CamelCase.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
// +optional
Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
// APIVersion defines the versioned schema of this representation of an object.
// Servers should convert recognized schemas to the latest internal value, and
// may reject unrecognized values.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
// +optional
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=apiVersion"`
}
TypeMeta describes an individual object in an API response or request with strings representing the type of the object and its API schema version. Structures that are versioned or persisted should inline TypeMeta.
+k8s:deepcopy-gen=false
type UID ¶
type UID string
UID is a type that holds unique WorkloadID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type UserAuthProvider ¶
type UserAuthProvider struct {
Name string `json:"name,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.