v1beta2

package
v0.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 2, 2024 License: Apache-2.0 Imports: 19 Imported by: 3

Documentation

Overview

Package v1beta1 contains API Schema definitions for the kuadrant v1beta1 API group +kubebuilder:object:generate=true +groupName=kuadrant.io

Index

Constants

View Source
const (
	AuthPolicyBackReferenceAnnotationName   = "kuadrant.io/authpolicies"
	AuthPolicyDirectReferenceAnnotationName = "kuadrant.io/authpolicy"
)

Variables

View Source
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "kuadrant.io", Version: "v1beta2"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source
var (
	AuthPoliciesResource      = GroupVersion.WithResource("authpolicies")
	AuthPolicyKind            = schema.GroupKind{Group: GroupVersion.Group, Kind: "AuthPolicy"}
	RateLimitPoliciesResource = GroupVersion.WithResource("ratelimitpolicies")
	RateLimitPolicyKind       = schema.GroupKind{Group: GroupVersion.Group, Kind: "RateLimitPolicy"}
)
View Source
var (
	AuthPolicyGVK schema.GroupVersionKind = schema.GroupVersionKind{
		Group:   GroupVersion.Group,
		Version: GroupVersion.Version,
		Kind:    "AuthPolicy",
	}
)
View Source
var (
	RateLimitPolicyGVK schema.GroupVersionKind = schema.GroupVersionKind{
		Group:   GroupVersion.Group,
		Version: GroupVersion.Version,
		Kind:    "RateLimitPolicy",
	}
)

Functions

func NewAuthPolicyType added in v0.10.0

func NewAuthPolicyType() kuadrantgatewayapi.PolicyType

func NewRateLimitPolicyType added in v0.10.0

func NewRateLimitPolicyType() kuadrantgatewayapi.PolicyType

func RateLimitPolicyStatusMutator added in v0.10.0

func RateLimitPolicyStatusMutator(desiredStatus *RateLimitPolicyStatus, logger logr.Logger) reconcilers.StatusMutatorFunc

Types

type AuthPolicy

type AuthPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AuthPolicySpec   `json:"spec,omitempty"`
	Status AuthPolicyStatus `json:"status,omitempty"`
}

AuthPolicy enables authentication and authorization for service workloads in a Gateway API network

func (*AuthPolicy) BackReferenceAnnotationName added in v0.7.0

func (ap *AuthPolicy) BackReferenceAnnotationName() string

func (*AuthPolicy) DeepCopy

func (in *AuthPolicy) DeepCopy() *AuthPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicy.

func (*AuthPolicy) DeepCopyInto

func (in *AuthPolicy) DeepCopyInto(out *AuthPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthPolicy) DeepCopyObject

func (in *AuthPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthPolicy) DirectReferenceAnnotationName added in v0.7.0

func (ap *AuthPolicy) DirectReferenceAnnotationName() string

func (*AuthPolicy) GetLocator added in v0.10.0

func (ap *AuthPolicy) GetLocator() string

func (*AuthPolicy) GetMergeStrategy added in v0.10.0

func (ap *AuthPolicy) GetMergeStrategy() machinery.MergeStrategy

func (*AuthPolicy) GetRulesHostnames

func (ap *AuthPolicy) GetRulesHostnames() (ruleHosts []string)

GetRulesHostnames returns all hostnames referenced in the route selectors of the policy.

func (*AuthPolicy) GetStatus added in v0.7.0

func (ap *AuthPolicy) GetStatus() kuadrantgatewayapi.PolicyStatus

func (*AuthPolicy) GetTargetRef

func (*AuthPolicy) GetTargetRefs added in v0.10.0

func (ap *AuthPolicy) GetTargetRefs() []machinery.PolicyTargetReference

func (*AuthPolicy) GetWrappedNamespace

func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1.Namespace

func (*AuthPolicy) IsAtomicOverride added in v0.7.0

func (ap *AuthPolicy) IsAtomicOverride() bool

func (*AuthPolicy) Kind added in v0.7.0

func (ap *AuthPolicy) Kind() string

func (*AuthPolicy) Merge added in v0.10.0

func (ap *AuthPolicy) Merge(other machinery.Policy) machinery.Policy

func (*AuthPolicy) PolicyClass added in v0.7.0

func (ap *AuthPolicy) PolicyClass() kuadrantgatewayapi.PolicyClass

func (*AuthPolicy) TargetProgrammedGatewaysOnly added in v0.10.0

func (ap *AuthPolicy) TargetProgrammedGatewaysOnly() bool

type AuthPolicyCommonSpec added in v0.7.0

type AuthPolicyCommonSpec struct {
	// Top-level route selectors.
	// If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the external authorization service.
	// At least one selected HTTPRoute rule must match to trigger the AuthPolicy.
	// If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes.
	// +optional
	// +kubebuilder:validation:MaxItems=15
	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

	// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
	// +optional
	NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"`

	// Overall conditions for the AuthPolicy to be enforced.
	// If omitted, the AuthPolicy will be enforced at all requests to the protected routes.
	// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK.
	// +optional
	Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"`

	// The auth rules of the policy.
	// See Authorino's AuthConfig CRD for more details.
	AuthScheme *AuthSchemeSpec `json:"rules,omitempty"`
}

AuthPolicyCommonSpec contains common shared fields for defaults and overrides

func (*AuthPolicyCommonSpec) DeepCopy added in v0.7.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyCommonSpec.

func (*AuthPolicyCommonSpec) DeepCopyInto added in v0.7.0

func (in *AuthPolicyCommonSpec) DeepCopyInto(out *AuthPolicyCommonSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (AuthPolicyCommonSpec) GetRouteSelectors added in v0.7.0

func (c AuthPolicyCommonSpec) GetRouteSelectors() []RouteSelector

GetRouteSelectors returns the top-level route selectors of the auth scheme. impl: RouteSelectorsGetter

type AuthPolicyList

type AuthPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AuthPolicy `json:"items"`
}

AuthPolicyList contains a list of AuthPolicy

func (*AuthPolicyList) DeepCopy

func (in *AuthPolicyList) DeepCopy() *AuthPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyList.

func (*AuthPolicyList) DeepCopyInto

func (in *AuthPolicyList) DeepCopyInto(out *AuthPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthPolicyList) DeepCopyObject

func (in *AuthPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthPolicyList) GetItems

func (l *AuthPolicyList) GetItems() []kuadrant.Policy

type AuthPolicySpec

type AuthPolicySpec struct {
	// TargetRef identifies an API object to apply policy to.
	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
	// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`

	// Defaults define explicit default values for this policy and for policies inheriting this policy.
	// Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec.
	// +optional
	Defaults *AuthPolicyCommonSpec `json:"defaults,omitempty"`

	// Overrides define explicit override values for this policy.
	// Overrides are mutually exclusive with explicit and implicit defaults defined by AuthPolicyCommonSpec.
	// +optional
	Overrides *AuthPolicyCommonSpec `json:"overrides,omitempty"`

	// AuthPolicyCommonSpec defines implicit default values for this policy and for policies inheriting this policy.
	// AuthPolicyCommonSpec is mutually exclusive with explicit defaults defined by Defaults.
	AuthPolicyCommonSpec `json:""`
}

RouteSelectors - implicit default validation +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.routeSelectors)",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.authentication) || !self.rules.authentication.exists(x, has(self.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.metadata) || !self.rules.metadata.exists(x, has(self.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.authorization) || !self.rules.authorization.exists(x, has(self.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.response) || !has(self.rules.response.success) || !has(self.rules.response.success.headers) || !self.rules.response.success.headers.exists(x, has(self.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.response) || !has(self.rules.response.success) || !has(self.rules.response.success.dynamicMetadata) || !self.rules.response.success.dynamicMetadata.exists(x, has(self.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.callbacks) || !self.rules.callbacks.exists(x, has(self.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" RouteSelectors - explicit default validation +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.routeSelectors)",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.authentication) || !self.defaults.rules.authentication.exists(x, has(self.defaults.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.metadata) || !self.defaults.rules.metadata.exists(x, has(self.defaults.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.authorization) || !self.defaults.rules.authorization.exists(x, has(self.defaults.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.response) || !has(self.defaults.rules.response.success) || !has(self.defaults.rules.response.success.headers) || !self.defaults.rules.response.success.headers.exists(x, has(self.defaults.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.response) || !has(self.defaults.rules.response.success) || !has(self.defaults.rules.response.success.dynamicMetadata) || !self.defaults.rules.response.success.dynamicMetadata.exists(x, has(self.defaults.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.callbacks) || !self.defaults.rules.callbacks.exists(x, has(self.defaults.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" RouteSelectors - explicit overrides validation +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.routeSelectors)",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.authentication) || !self.overrides.rules.authentication.exists(x, has(self.overrides.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.metadata) || !self.overrides.rules.metadata.exists(x, has(self.overrides.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.authorization) || !self.overrides.rules.authorization.exists(x, has(self.overrides.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.response) || !has(self.overrides.rules.response.success) || !has(self.overrides.rules.response.success.headers) || !self.overrides.rules.response.success.headers.exists(x, has(self.overrides.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.response) || !has(self.overrides.rules.response.success) || !has(self.overrides.rules.response.success.dynamicMetadata) || !self.overrides.rules.response.success.dynamicMetadata.exists(x, has(self.overrides.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.callbacks) || !self.overrides.rules.callbacks.exists(x, has(self.overrides.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" Mutual Exclusivity Validation +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit defaults and explicit overrides are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.defaults))",message="Explicit overrides and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && self.targetRef.kind == 'HTTPRoute')",message="Overrides are not allowed for policies targeting a HTTPRoute resource"

func (*AuthPolicySpec) CommonSpec added in v0.7.0

func (ap *AuthPolicySpec) CommonSpec() *AuthPolicyCommonSpec

func (*AuthPolicySpec) DeepCopy

func (in *AuthPolicySpec) DeepCopy() *AuthPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicySpec.

func (*AuthPolicySpec) DeepCopyInto

func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthPolicyStatus

type AuthPolicyStatus struct {
	// ObservedGeneration reflects the generation of the most recently observed spec.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Represents the observations of a foo's current state.
	// Known .status.conditions.type are: "Available"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
}

func (*AuthPolicyStatus) DeepCopy

func (in *AuthPolicyStatus) DeepCopy() *AuthPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyStatus.

func (*AuthPolicyStatus) DeepCopyInto

func (in *AuthPolicyStatus) DeepCopyInto(out *AuthPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthPolicyStatus) Equals

func (s *AuthPolicyStatus) Equals(other *AuthPolicyStatus, logger logr.Logger) bool

func (*AuthPolicyStatus) GetConditions added in v0.7.0

func (s *AuthPolicyStatus) GetConditions() []metav1.Condition

type AuthSchemeSpec

type AuthSchemeSpec struct {
	// Authentication configs.
	// At least one config MUST evaluate to a valid identity object for the auth request to be successful.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Authentication map[string]AuthenticationSpec `json:"authentication,omitempty"`

	// Metadata sources.
	// Authorino fetches auth metadata as JSON from sources specified in this config.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Metadata map[string]MetadataSpec `json:"metadata,omitempty"`

	// Authorization policies.
	// All policies MUST evaluate to "allowed = true" for the auth request be successful.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Authorization map[string]AuthorizationSpec `json:"authorization,omitempty"`

	// Response items.
	// Authorino builds custom responses to the client of the auth request.
	// +optional
	Response *ResponseSpec `json:"response,omitempty"`

	// Callback functions.
	// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Callbacks map[string]CallbackSpec `json:"callbacks,omitempty"`
}

func (*AuthSchemeSpec) DeepCopy

func (in *AuthSchemeSpec) DeepCopy() *AuthSchemeSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSchemeSpec.

func (*AuthSchemeSpec) DeepCopyInto

func (in *AuthSchemeSpec) DeepCopyInto(out *AuthSchemeSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthenticationSpec

type AuthenticationSpec struct {
	authorinoapi.AuthenticationSpec `json:""`
	CommonAuthRuleSpec              `json:""`
}

func (*AuthenticationSpec) DeepCopy

func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationSpec.

func (*AuthenticationSpec) DeepCopyInto

func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthorizationSpec

type AuthorizationSpec struct {
	authorinoapi.AuthorizationSpec `json:""`
	CommonAuthRuleSpec             `json:""`
}

func (*AuthorizationSpec) DeepCopy

func (in *AuthorizationSpec) DeepCopy() *AuthorizationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationSpec.

func (*AuthorizationSpec) DeepCopyInto

func (in *AuthorizationSpec) DeepCopyInto(out *AuthorizationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CallbackSpec

type CallbackSpec struct {
	authorinoapi.CallbackSpec `json:""`
	CommonAuthRuleSpec        `json:""`
}

func (*CallbackSpec) DeepCopy

func (in *CallbackSpec) DeepCopy() *CallbackSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallbackSpec.

func (*CallbackSpec) DeepCopyInto

func (in *CallbackSpec) DeepCopyInto(out *CallbackSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CommonAuthRuleSpec

type CommonAuthRuleSpec struct {
	// Top-level route selectors.
	// If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule.
	// At least one selected HTTPRoute rule must match to trigger the auth rule.
	// If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes.
	// +optional
	// +kubebuilder:validation:MaxItems=8
	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`
}

func (*CommonAuthRuleSpec) DeepCopy

func (in *CommonAuthRuleSpec) DeepCopy() *CommonAuthRuleSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonAuthRuleSpec.

func (*CommonAuthRuleSpec) DeepCopyInto

func (in *CommonAuthRuleSpec) DeepCopyInto(out *CommonAuthRuleSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (CommonAuthRuleSpec) GetRouteSelectors

func (s CommonAuthRuleSpec) GetRouteSelectors() []RouteSelector

GetRouteSelectors returns the route selectors of the auth rule spec. impl: RouteSelectorsGetter

type ContextSelector

type ContextSelector string

ContextSelector defines one item from the well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL +kubebuilder:validation:MinLength=1 +kubebuilder:validation:MaxLength=253

type HeaderSuccessResponseSpec

type HeaderSuccessResponseSpec struct {
	SuccessResponseSpec `json:""`
}

func (*HeaderSuccessResponseSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderSuccessResponseSpec.

func (*HeaderSuccessResponseSpec) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Limit

type Limit struct {
	// RouteSelectors defines semantics for matching an HTTP request based on conditions
	// +optional
	// +kubebuilder:validation:MaxItems=15
	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

	// When holds the list of conditions for the policy to be enforced.
	// Called also "soft" conditions as route selectors must also match
	// +optional
	When []WhenCondition `json:"when,omitempty"`

	// Counters defines additional rate limit counters based on context qualifiers and well known selectors
	// TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
	// +optional
	Counters []ContextSelector `json:"counters,omitempty"`

	// Rates holds the list of limit rates
	// +optional
	Rates []Rate `json:"rates,omitempty"`
}

Limit represents a complete rate limit configuration

func (Limit) CountersAsStringList

func (l Limit) CountersAsStringList() []string

func (*Limit) DeepCopy

func (in *Limit) DeepCopy() *Limit

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Limit.

func (*Limit) DeepCopyInto

func (in *Limit) DeepCopyInto(out *Limit)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MetadataSpec

type MetadataSpec struct {
	authorinoapi.MetadataSpec `json:""`
	CommonAuthRuleSpec        `json:""`
}

func (*MetadataSpec) DeepCopy

func (in *MetadataSpec) DeepCopy() *MetadataSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetadataSpec.

func (*MetadataSpec) DeepCopyInto

func (in *MetadataSpec) DeepCopyInto(out *MetadataSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Rate

type Rate struct {
	// Limit defines the max value allowed for a given period of time
	Limit int `json:"limit"`

	// Duration defines the time period for which the Limit specified above applies.
	Duration int `json:"duration"`

	// Duration defines the time uni
	// Possible values are: "second", "minute", "hour", "day"
	Unit TimeUnit `json:"unit"`
}

Rate defines the actual rate limit that will be used when there is a match

func (*Rate) DeepCopy

func (in *Rate) DeepCopy() *Rate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rate.

func (*Rate) DeepCopyInto

func (in *Rate) DeepCopyInto(out *Rate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimitPolicy

type RateLimitPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   RateLimitPolicySpec   `json:"spec,omitempty"`
	Status RateLimitPolicyStatus `json:"status,omitempty"`
}

RateLimitPolicy enables rate limiting for service workloads in a Gateway API network

func (*RateLimitPolicy) BackReferenceAnnotationName added in v0.7.0

func (r *RateLimitPolicy) BackReferenceAnnotationName() string

func (*RateLimitPolicy) DeepCopy

func (in *RateLimitPolicy) DeepCopy() *RateLimitPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicy.

func (*RateLimitPolicy) DeepCopyInto

func (in *RateLimitPolicy) DeepCopyInto(out *RateLimitPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RateLimitPolicy) DeepCopyObject

func (in *RateLimitPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*RateLimitPolicy) DirectReferenceAnnotationName added in v0.7.0

func (r *RateLimitPolicy) DirectReferenceAnnotationName() string

func (*RateLimitPolicy) GetLocator added in v0.10.0

func (r *RateLimitPolicy) GetLocator() string

func (*RateLimitPolicy) GetMergeStrategy added in v0.10.0

func (r *RateLimitPolicy) GetMergeStrategy() machinery.MergeStrategy

func (*RateLimitPolicy) GetObservedGeneration added in v0.10.0

func (r *RateLimitPolicy) GetObservedGeneration() int64

func (*RateLimitPolicy) GetRulesHostnames

func (r *RateLimitPolicy) GetRulesHostnames() (ruleHosts []string)

func (*RateLimitPolicy) GetStatus added in v0.7.0

func (*RateLimitPolicy) GetTargetRef

func (*RateLimitPolicy) GetTargetRefs added in v0.10.0

func (r *RateLimitPolicy) GetTargetRefs() []machinery.PolicyTargetReference

func (*RateLimitPolicy) GetWrappedNamespace

func (r *RateLimitPolicy) GetWrappedNamespace() gatewayapiv1.Namespace

func (*RateLimitPolicy) Kind added in v0.7.0

func (r *RateLimitPolicy) Kind() string

func (*RateLimitPolicy) Merge added in v0.10.0

func (*RateLimitPolicy) PolicyClass added in v0.7.0

func (*RateLimitPolicy) SetObservedGeneration added in v0.10.0

func (r *RateLimitPolicy) SetObservedGeneration(o int64)

func (*RateLimitPolicy) TargetProgrammedGatewaysOnly added in v0.10.0

func (r *RateLimitPolicy) TargetProgrammedGatewaysOnly() bool

type RateLimitPolicyCommonSpec added in v0.7.0

type RateLimitPolicyCommonSpec struct {
	// Limits holds the struct of limits indexed by a unique name
	// +optional
	// +kubebuilder:validation:MaxProperties=14
	Limits map[string]Limit `json:"limits,omitempty"`
}

RateLimitPolicyCommonSpec contains common shared fields.

func (*RateLimitPolicyCommonSpec) DeepCopy added in v0.7.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicyCommonSpec.

func (*RateLimitPolicyCommonSpec) DeepCopyInto added in v0.7.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimitPolicyList

type RateLimitPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []RateLimitPolicy `json:"items"`
}

RateLimitPolicyList contains a list of RateLimitPolicy

func (*RateLimitPolicyList) DeepCopy

func (in *RateLimitPolicyList) DeepCopy() *RateLimitPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicyList.

func (*RateLimitPolicyList) DeepCopyInto

func (in *RateLimitPolicyList) DeepCopyInto(out *RateLimitPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RateLimitPolicyList) DeepCopyObject

func (in *RateLimitPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*RateLimitPolicyList) GetItems

func (l *RateLimitPolicyList) GetItems() []kuadrant.Policy

type RateLimitPolicySpec

type RateLimitPolicySpec struct {
	// TargetRef identifies an API object to apply policy to.
	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
	// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`

	// Defaults define explicit default values for this policy and for policies inheriting this policy.
	// Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec.
	// +optional
	Defaults *RateLimitPolicyCommonSpec `json:"defaults,omitempty"`

	// Overrides define override values for this policy and for policies inheriting this policy.
	// Overrides are mutually exclusive with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec.
	// +optional
	Overrides *RateLimitPolicyCommonSpec `json:"overrides,omitempty"`

	// RateLimitPolicyCommonSpec defines implicit default values for this policy and for policies inheriting this policy.
	// RateLimitPolicyCommonSpec is mutually exclusive with explicit defaults defined by Defaults.
	RateLimitPolicyCommonSpec `json:""`
}

RateLimitPolicySpec defines the desired state of RateLimitPolicy +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.limits) || !self.limits.exists(x, has(self.limits[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && has(self.limits))",message="Implicit and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && has(self.overrides))",message="Overrides and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.limits))",message="Overrides and implicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && self.targetRef.kind != 'Gateway')",message="Overrides are only allowed for policies targeting a Gateway resource"

func (*RateLimitPolicySpec) CommonSpec added in v0.7.0

CommonSpec returns the Default RateLimitPolicyCommonSpec if it is defined. Otherwise, it returns the RateLimitPolicyCommonSpec from the spec. This function should be used instead of accessing the fields directly, so that either the explicit or implicit default is returned.

func (*RateLimitPolicySpec) DeepCopy

func (in *RateLimitPolicySpec) DeepCopy() *RateLimitPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicySpec.

func (*RateLimitPolicySpec) DeepCopyInto

func (in *RateLimitPolicySpec) DeepCopyInto(out *RateLimitPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimitPolicyStatus

type RateLimitPolicyStatus struct {
	reconcilers.StatusMeta `json:",inline"`

	// Represents the observations of a foo's current state.
	// Known .status.conditions.type are: "Available"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
}

RateLimitPolicyStatus defines the observed state of RateLimitPolicy

func (*RateLimitPolicyStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicyStatus.

func (*RateLimitPolicyStatus) DeepCopyInto

func (in *RateLimitPolicyStatus) DeepCopyInto(out *RateLimitPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RateLimitPolicyStatus) GetConditions added in v0.7.0

func (s *RateLimitPolicyStatus) GetConditions() []metav1.Condition

type ResponseSpec

type ResponseSpec struct {
	// Customizations on the denial status attributes when the request is unauthenticated.
	// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config.
	// Default: 401 Unauthorized
	// +optional
	Unauthenticated *authorinoapi.DenyWithSpec `json:"unauthenticated,omitempty"`

	// Customizations on the denial status attributes when the request is unauthorized.
	// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config.
	// Default: 403 Forbidden
	// +optional
	Unauthorized *authorinoapi.DenyWithSpec `json:"unauthorized,omitempty"`

	// Response items to be included in the auth response when the request is authenticated and authorized.
	// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request.
	// +optional
	Success WrappedSuccessResponseSpec `json:"success,omitempty"`
}

func (*ResponseSpec) DeepCopy

func (in *ResponseSpec) DeepCopy() *ResponseSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseSpec.

func (*ResponseSpec) DeepCopyInto

func (in *ResponseSpec) DeepCopyInto(out *ResponseSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RouteSelector

type RouteSelector struct {
	// Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request
	// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
	// +optional
	Hostnames []gatewayapiv1.Hostname `json:"hostnames,omitempty"`

	// Matches define conditions used for matching the rule against incoming HTTP requests.
	// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
	// +optional
	// +kubebuilder:validation:MaxItems=8
	Matches []gatewayapiv1.HTTPRouteMatch `json:"matches,omitempty"`
}

RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec

func (*RouteSelector) DeepCopy

func (in *RouteSelector) DeepCopy() *RouteSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteSelector.

func (*RouteSelector) DeepCopyInto

func (in *RouteSelector) DeepCopyInto(out *RouteSelector)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RouteSelector) HostnamesForConditions

func (s *RouteSelector) HostnamesForConditions(route *gatewayapiv1.HTTPRoute) []gatewayapiv1.Hostname

HostnamesForConditions allows avoiding building conditions for hostnames that are excluded by the selector or when the hostname is irrelevant (i.e. matches all hostnames)

func (*RouteSelector) SelectRules

func (s *RouteSelector) SelectRules(route *gatewayapiv1.HTTPRoute) (rules []gatewayapiv1.HTTPRouteRule)

SelectRules returns, from a HTTPRoute, all HTTPRouteRules that either specify no HTTRouteMatches or that contain at least one HTTRouteMatch whose statements expressly include (partially or totally) the statements of at least one of the matches of the selector. If the selector does not specify any matches, then all HTTPRouteRules are selected.

Additionally, if the selector specifies a non-empty list of hostnames, a non-empty intersection between the literal hostnames of the selector and set of hostnames specified in the HTTPRoute must exist. Otherwise, the function returns nil.

type RouteSelectorsGetter

type RouteSelectorsGetter interface {
	GetRouteSelectors() []RouteSelector
}

+kubebuilder:object:generate=false

type SuccessResponseSpec

type SuccessResponseSpec struct {
	authorinoapi.SuccessResponseSpec `json:""`
	CommonAuthRuleSpec               `json:""`
}

func (*SuccessResponseSpec) DeepCopy

func (in *SuccessResponseSpec) DeepCopy() *SuccessResponseSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SuccessResponseSpec.

func (*SuccessResponseSpec) DeepCopyInto

func (in *SuccessResponseSpec) DeepCopyInto(out *SuccessResponseSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TimeUnit

type TimeUnit string

+kubebuilder:validation:Enum:=second;minute;hour;day

type WhenCondition

type WhenCondition struct {
	// Selector defines one item from the well known selectors
	// TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
	Selector ContextSelector `json:"selector"`

	// The binary operator to be applied to the content fetched from the selector
	// Possible values are: "eq" (equal to), "neq" (not equal to)
	Operator WhenConditionOperator `json:"operator"`

	// The value of reference for the comparison.
	Value string `json:"value"`
}

RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec

func (*WhenCondition) DeepCopy

func (in *WhenCondition) DeepCopy() *WhenCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhenCondition.

func (*WhenCondition) DeepCopyInto

func (in *WhenCondition) DeepCopyInto(out *WhenCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WhenConditionOperator

type WhenConditionOperator string

+kubebuilder:validation:Enum:=eq;neq;startswith;endswith;incl;excl;matches

const (
	EqualOperator      WhenConditionOperator = "eq"
	NotEqualOperator   WhenConditionOperator = "neq"
	StartsWithOperator WhenConditionOperator = "startswith"
	EndsWithOperator   WhenConditionOperator = "endswith"
	IncludeOperator    WhenConditionOperator = "incl"
	ExcludeOperator    WhenConditionOperator = "excl"
	MatchesOperator    WhenConditionOperator = "matches"

	RateLimitPolicyBackReferenceAnnotationName   = "kuadrant.io/ratelimitpolicies"
	RateLimitPolicyDirectReferenceAnnotationName = "kuadrant.io/ratelimitpolicy"
)

type WrappedSuccessResponseSpec

type WrappedSuccessResponseSpec struct {
	// Custom success response items wrapped as HTTP headers.
	// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request.
	// +kubebuilder:validation:MaxProperties=10
	Headers map[string]HeaderSuccessResponseSpec `json:"headers,omitempty"`

	// Custom success response items wrapped as HTTP headers.
	// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata.
	// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata
	// +kubebuilder:validation:MaxProperties=10
	DynamicMetadata map[string]SuccessResponseSpec `json:"dynamicMetadata,omitempty"`
}

func (*WrappedSuccessResponseSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WrappedSuccessResponseSpec.

func (*WrappedSuccessResponseSpec) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL