v1beta2

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 3, 2024 License: Apache-2.0 Imports: 14 Imported by: 3

Documentation

Overview

Package v1beta1 contains API Schema definitions for the kuadrant v1beta1 API group +kubebuilder:object:generate=true +groupName=kuadrant.io

Index

Constants

View Source 
const (
	AuthPolicyBackReferenceAnnotationName   = "kuadrant.io/authpolicies"
	AuthPolicyDirectReferenceAnnotationName = "kuadrant.io/authpolicy"
)

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "kuadrant.io", Version: "v1beta2"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type AuthPolicy 

type AuthPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AuthPolicySpec   `json:"spec,omitempty"`
	Status AuthPolicyStatus `json:"status,omitempty"`
}

AuthPolicy enables authentication and authorization for service workloads in a Gateway API network

func (*AuthPolicy) BackReferenceAnnotationName added in v0.7.0 

func (ap *AuthPolicy) BackReferenceAnnotationName() string

func (*AuthPolicy) DeepCopy 

func (in *AuthPolicy) DeepCopy() *AuthPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicy.

func (*AuthPolicy) DeepCopyInto 

func (in *AuthPolicy) DeepCopyInto(out *AuthPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthPolicy) DeepCopyObject 

func (in *AuthPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthPolicy) DirectReferenceAnnotationName added in v0.7.0 

func (ap *AuthPolicy) DirectReferenceAnnotationName() string

func (*AuthPolicy) GetRulesHostnames 

func (ap *AuthPolicy) GetRulesHostnames() (ruleHosts []string)

GetRulesHostnames returns all hostnames referenced in the route selectors of the policy.

func (*AuthPolicy) GetStatus added in v0.7.0 

func (ap *AuthPolicy) GetStatus() kuadrantgatewayapi.PolicyStatus

func (*AuthPolicy) GetTargetRef 

func (ap *AuthPolicy) GetTargetRef() gatewayapiv1alpha2.PolicyTargetReference

func (*AuthPolicy) GetWrappedNamespace 

func (ap *AuthPolicy) GetWrappedNamespace() gatewayapiv1.Namespace

func (*AuthPolicy) IsAtomicOverride added in v0.7.0 

func (ap *AuthPolicy) IsAtomicOverride() bool

func (*AuthPolicy) Kind added in v0.7.0 

func (ap *AuthPolicy) Kind() string

func (*AuthPolicy) PolicyClass added in v0.7.0 

func (ap *AuthPolicy) PolicyClass() kuadrantgatewayapi.PolicyClass

func (*AuthPolicy) Validate 

func (ap *AuthPolicy) Validate() error

type AuthPolicyCommonSpec added in v0.7.0 

type AuthPolicyCommonSpec struct {
	// Top-level route selectors.
	// If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the external authorization service.
	// At least one selected HTTPRoute rule must match to trigger the AuthPolicy.
	// If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes.
	// +optional
	// +kubebuilder:validation:MaxItems=15
	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

	// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
	// +optional
	NamedPatterns map[string]authorinoapi.PatternExpressions `json:"patterns,omitempty"`

	// Overall conditions for the AuthPolicy to be enforced.
	// If omitted, the AuthPolicy will be enforced at all requests to the protected routes.
	// If present, all conditions must match for the AuthPolicy to be enforced; otherwise, the authorization service skips the AuthPolicy and returns to the auth request with status OK.
	// +optional
	Conditions []authorinoapi.PatternExpressionOrRef `json:"when,omitempty"`

	// The auth rules of the policy.
	// See Authorino's AuthConfig CRD for more details.
	AuthScheme *AuthSchemeSpec `json:"rules,omitempty"`
}

AuthPolicyCommonSpec contains common shared fields for defaults and overrides

func (*AuthPolicyCommonSpec) DeepCopy added in v0.7.0 

func (in *AuthPolicyCommonSpec) DeepCopy() *AuthPolicyCommonSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyCommonSpec.

func (*AuthPolicyCommonSpec) DeepCopyInto added in v0.7.0 

func (in *AuthPolicyCommonSpec) DeepCopyInto(out *AuthPolicyCommonSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (AuthPolicyCommonSpec) GetRouteSelectors added in v0.7.0 

func (c AuthPolicyCommonSpec) GetRouteSelectors() []RouteSelector

GetRouteSelectors returns the top-level route selectors of the auth scheme. impl: RouteSelectorsGetter

type AuthPolicyList 

type AuthPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AuthPolicy `json:"items"`
}

AuthPolicyList contains a list of AuthPolicy

func (*AuthPolicyList) DeepCopy 

func (in *AuthPolicyList) DeepCopy() *AuthPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyList.

func (*AuthPolicyList) DeepCopyInto 

func (in *AuthPolicyList) DeepCopyInto(out *AuthPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthPolicyList) DeepCopyObject 

func (in *AuthPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthPolicyList) GetItems 

func (l *AuthPolicyList) GetItems() []kuadrant.Policy

type AuthPolicySpec 

type AuthPolicySpec struct {
	// TargetRef identifies an API object to apply policy to.
	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
	// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
	TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`

	// Defaults define explicit default values for this policy and for policies inheriting this policy.
	// Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec.
	// +optional
	Defaults *AuthPolicyCommonSpec `json:"defaults,omitempty"`

	// Overrides define explicit override values for this policy.
	// Overrides are mutually exclusive with explicit and implicit defaults defined by AuthPolicyCommonSpec.
	// +optional
	Overrides *AuthPolicyCommonSpec `json:"overrides,omitempty"`

	// AuthPolicyCommonSpec defines implicit default values for this policy and for policies inheriting this policy.
	// AuthPolicyCommonSpec is mutually exclusive with explicit defaults defined by Defaults.
	AuthPolicyCommonSpec `json:""`
}

RouteSelectors - implicit default validation +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.routeSelectors)",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.authentication) || !self.rules.authentication.exists(x, has(self.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.metadata) || !self.rules.metadata.exists(x, has(self.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.authorization) || !self.rules.authorization.exists(x, has(self.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.response) || !has(self.rules.response.success) || !has(self.rules.response.success.headers) || !self.rules.response.success.headers.exists(x, has(self.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.response) || !has(self.rules.response.success) || !has(self.rules.response.success.dynamicMetadata) || !self.rules.response.success.dynamicMetadata.exists(x, has(self.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules) || !has(self.rules.callbacks) || !self.rules.callbacks.exists(x, has(self.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" RouteSelectors - explicit default validation +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.routeSelectors)",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.authentication) || !self.defaults.rules.authentication.exists(x, has(self.defaults.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.metadata) || !self.defaults.rules.metadata.exists(x, has(self.defaults.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.authorization) || !self.defaults.rules.authorization.exists(x, has(self.defaults.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.response) || !has(self.defaults.rules.response.success) || !has(self.defaults.rules.response.success.headers) || !self.defaults.rules.response.success.headers.exists(x, has(self.defaults.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.response) || !has(self.defaults.rules.response.success) || !has(self.defaults.rules.response.success.dynamicMetadata) || !self.defaults.rules.response.success.dynamicMetadata.exists(x, has(self.defaults.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.defaults) || !has(self.defaults.rules) || !has(self.defaults.rules.callbacks) || !self.defaults.rules.callbacks.exists(x, has(self.defaults.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" RouteSelectors - explicit overrides validation +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.routeSelectors)",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.authentication) || !self.overrides.rules.authentication.exists(x, has(self.overrides.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.metadata) || !self.overrides.rules.metadata.exists(x, has(self.overrides.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.authorization) || !self.overrides.rules.authorization.exists(x, has(self.overrides.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.response) || !has(self.overrides.rules.response.success) || !has(self.overrides.rules.response.success.headers) || !self.overrides.rules.response.success.headers.exists(x, has(self.overrides.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.response) || !has(self.overrides.rules.response.success) || !has(self.overrides.rules.response.success.dynamicMetadata) || !self.overrides.rules.response.success.dynamicMetadata.exists(x, has(self.overrides.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.overrides) || !has(self.overrides.rules) || !has(self.overrides.rules.callbacks) || !self.overrides.rules.callbacks.exists(x, has(self.overrides.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" Mutual Exclusivity Validation +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit defaults and explicit overrides are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.defaults))",message="Explicit overrides and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && self.targetRef.kind == 'HTTPRoute')",message="Overrides are not allowed for policies targeting a HTTPRoute resource"

func (*AuthPolicySpec) CommonSpec added in v0.7.0 

func (ap *AuthPolicySpec) CommonSpec() *AuthPolicyCommonSpec

func (*AuthPolicySpec) DeepCopy 

func (in *AuthPolicySpec) DeepCopy() *AuthPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicySpec.

func (*AuthPolicySpec) DeepCopyInto 

func (in *AuthPolicySpec) DeepCopyInto(out *AuthPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthPolicyStatus 

type AuthPolicyStatus struct {
	// ObservedGeneration reflects the generation of the most recently observed spec.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Represents the observations of a foo's current state.
	// Known .status.conditions.type are: "Available"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
}

func (*AuthPolicyStatus) DeepCopy 

func (in *AuthPolicyStatus) DeepCopy() *AuthPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthPolicyStatus.

func (*AuthPolicyStatus) DeepCopyInto 

func (in *AuthPolicyStatus) DeepCopyInto(out *AuthPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthPolicyStatus) Equals 

func (s *AuthPolicyStatus) Equals(other *AuthPolicyStatus, logger logr.Logger) bool

func (*AuthPolicyStatus) GetConditions added in v0.7.0 

func (s *AuthPolicyStatus) GetConditions() []metav1.Condition

type AuthSchemeSpec 

type AuthSchemeSpec struct {
	// Authentication configs.
	// At least one config MUST evaluate to a valid identity object for the auth request to be successful.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Authentication map[string]AuthenticationSpec `json:"authentication,omitempty"`

	// Metadata sources.
	// Authorino fetches auth metadata as JSON from sources specified in this config.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Metadata map[string]MetadataSpec `json:"metadata,omitempty"`

	// Authorization policies.
	// All policies MUST evaluate to "allowed = true" for the auth request be successful.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Authorization map[string]AuthorizationSpec `json:"authorization,omitempty"`

	// Response items.
	// Authorino builds custom responses to the client of the auth request.
	// +optional
	Response *ResponseSpec `json:"response,omitempty"`

	// Callback functions.
	// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config.
	// +optional
	// +kubebuilder:validation:MaxProperties=10
	Callbacks map[string]CallbackSpec `json:"callbacks,omitempty"`
}

func (*AuthSchemeSpec) DeepCopy 

func (in *AuthSchemeSpec) DeepCopy() *AuthSchemeSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSchemeSpec.

func (*AuthSchemeSpec) DeepCopyInto 

func (in *AuthSchemeSpec) DeepCopyInto(out *AuthSchemeSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthenticationSpec 

type AuthenticationSpec struct {
	authorinoapi.AuthenticationSpec `json:""`
	CommonAuthRuleSpec              `json:""`
}

func (*AuthenticationSpec) DeepCopy 

func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationSpec.

func (*AuthenticationSpec) DeepCopyInto 

func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthorizationSpec 

type AuthorizationSpec struct {
	authorinoapi.AuthorizationSpec `json:""`
	CommonAuthRuleSpec             `json:""`
}

func (*AuthorizationSpec) DeepCopy 

func (in *AuthorizationSpec) DeepCopy() *AuthorizationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationSpec.

func (*AuthorizationSpec) DeepCopyInto 

func (in *AuthorizationSpec) DeepCopyInto(out *AuthorizationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CallbackSpec 

type CallbackSpec struct {
	authorinoapi.CallbackSpec `json:""`
	CommonAuthRuleSpec        `json:""`
}

func (*CallbackSpec) DeepCopy 

func (in *CallbackSpec) DeepCopy() *CallbackSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallbackSpec.

func (*CallbackSpec) DeepCopyInto 

func (in *CallbackSpec) DeepCopyInto(out *CallbackSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CommonAuthRuleSpec 

type CommonAuthRuleSpec struct {
	// Top-level route selectors.
	// If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule.
	// At least one selected HTTPRoute rule must match to trigger the auth rule.
	// If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes.
	// +optional
	// +kubebuilder:validation:MaxItems=8
	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`
}

func (*CommonAuthRuleSpec) DeepCopy 

func (in *CommonAuthRuleSpec) DeepCopy() *CommonAuthRuleSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonAuthRuleSpec.

func (*CommonAuthRuleSpec) DeepCopyInto 

func (in *CommonAuthRuleSpec) DeepCopyInto(out *CommonAuthRuleSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (CommonAuthRuleSpec) GetRouteSelectors 

func (s CommonAuthRuleSpec) GetRouteSelectors() []RouteSelector

GetRouteSelectors returns the route selectors of the auth rule spec. impl: RouteSelectorsGetter

type ContextSelector 

type ContextSelector string

ContextSelector defines one item from the well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL +kubebuilder:validation:MinLength=1 +kubebuilder:validation:MaxLength=253

type HeaderSuccessResponseSpec 

type HeaderSuccessResponseSpec struct {
	SuccessResponseSpec `json:""`
}

func (*HeaderSuccessResponseSpec) DeepCopy 

func (in *HeaderSuccessResponseSpec) DeepCopy() *HeaderSuccessResponseSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderSuccessResponseSpec.

func (*HeaderSuccessResponseSpec) DeepCopyInto 

func (in *HeaderSuccessResponseSpec) DeepCopyInto(out *HeaderSuccessResponseSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Limit 

type Limit struct {
	// RouteSelectors defines semantics for matching an HTTP request based on conditions
	// +optional
	// +kubebuilder:validation:MaxItems=15
	RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

	// When holds the list of conditions for the policy to be enforced.
	// Called also "soft" conditions as route selectors must also match
	// +optional
	When []WhenCondition `json:"when,omitempty"`

	// Counters defines additional rate limit counters based on context qualifiers and well known selectors
	// TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
	// +optional
	Counters []ContextSelector `json:"counters,omitempty"`

	// Rates holds the list of limit rates
	// +optional
	Rates []Rate `json:"rates,omitempty"`
}

Limit represents a complete rate limit configuration

func (Limit) CountersAsStringList 

func (l Limit) CountersAsStringList() []string

func (*Limit) DeepCopy 

func (in *Limit) DeepCopy() *Limit

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Limit.

func (*Limit) DeepCopyInto 

func (in *Limit) DeepCopyInto(out *Limit)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MetadataSpec 

type MetadataSpec struct {
	authorinoapi.MetadataSpec `json:""`
	CommonAuthRuleSpec        `json:""`
}

func (*MetadataSpec) DeepCopy 

func (in *MetadataSpec) DeepCopy() *MetadataSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetadataSpec.

func (*MetadataSpec) DeepCopyInto 

func (in *MetadataSpec) DeepCopyInto(out *MetadataSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Rate 

type Rate struct {
	// Limit defines the max value allowed for a given period of time
	Limit int `json:"limit"`

	// Duration defines the time period for which the Limit specified above applies.
	Duration int `json:"duration"`

	// Duration defines the time uni
	// Possible values are: "second", "minute", "hour", "day"
	Unit TimeUnit `json:"unit"`
}

Rate defines the actual rate limit that will be used when there is a match

func (*Rate) DeepCopy 

func (in *Rate) DeepCopy() *Rate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rate.

func (*Rate) DeepCopyInto 

func (in *Rate) DeepCopyInto(out *Rate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimitPolicy 

type RateLimitPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   RateLimitPolicySpec   `json:"spec,omitempty"`
	Status RateLimitPolicyStatus `json:"status,omitempty"`
}

RateLimitPolicy enables rate limiting for service workloads in a Gateway API network

func (*RateLimitPolicy) BackReferenceAnnotationName added in v0.7.0 

func (r *RateLimitPolicy) BackReferenceAnnotationName() string

func (*RateLimitPolicy) DeepCopy 

func (in *RateLimitPolicy) DeepCopy() *RateLimitPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicy.

func (*RateLimitPolicy) DeepCopyInto 

func (in *RateLimitPolicy) DeepCopyInto(out *RateLimitPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RateLimitPolicy) DeepCopyObject 

func (in *RateLimitPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*RateLimitPolicy) DirectReferenceAnnotationName added in v0.7.0 

func (r *RateLimitPolicy) DirectReferenceAnnotationName() string

func (*RateLimitPolicy) GetRulesHostnames 

func (r *RateLimitPolicy) GetRulesHostnames() (ruleHosts []string)

func (*RateLimitPolicy) GetStatus added in v0.7.0 

func (r *RateLimitPolicy) GetStatus() kuadrantgatewayapi.PolicyStatus

func (*RateLimitPolicy) GetTargetRef 

func (r *RateLimitPolicy) GetTargetRef() gatewayapiv1alpha2.PolicyTargetReference

func (*RateLimitPolicy) GetWrappedNamespace 

func (r *RateLimitPolicy) GetWrappedNamespace() gatewayapiv1.Namespace

func (*RateLimitPolicy) Kind added in v0.7.0 

func (r *RateLimitPolicy) Kind() string

func (*RateLimitPolicy) PolicyClass added in v0.7.0 

func (r *RateLimitPolicy) PolicyClass() kuadrantgatewayapi.PolicyClass

func (*RateLimitPolicy) Validate 

func (r *RateLimitPolicy) Validate() error

type RateLimitPolicyCommonSpec added in v0.7.0 

type RateLimitPolicyCommonSpec struct {
	// Limits holds the struct of limits indexed by a unique name
	// +optional
	// +kubebuilder:validation:MaxProperties=14
	Limits map[string]Limit `json:"limits,omitempty"`
}

RateLimitPolicyCommonSpec contains common shared fields.

func (*RateLimitPolicyCommonSpec) DeepCopy added in v0.7.0 

func (in *RateLimitPolicyCommonSpec) DeepCopy() *RateLimitPolicyCommonSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicyCommonSpec.

func (*RateLimitPolicyCommonSpec) DeepCopyInto added in v0.7.0 

func (in *RateLimitPolicyCommonSpec) DeepCopyInto(out *RateLimitPolicyCommonSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimitPolicyList 

type RateLimitPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []RateLimitPolicy `json:"items"`
}

RateLimitPolicyList contains a list of RateLimitPolicy

func (*RateLimitPolicyList) DeepCopy 

func (in *RateLimitPolicyList) DeepCopy() *RateLimitPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicyList.

func (*RateLimitPolicyList) DeepCopyInto 

func (in *RateLimitPolicyList) DeepCopyInto(out *RateLimitPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RateLimitPolicyList) DeepCopyObject 

func (in *RateLimitPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*RateLimitPolicyList) GetItems 

func (l *RateLimitPolicyList) GetItems() []kuadrant.Policy

type RateLimitPolicySpec 

type RateLimitPolicySpec struct {
	// TargetRef identifies an API object to apply policy to.
	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
	// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
	TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`

	// Defaults define explicit default values for this policy and for policies inheriting this policy.
	// Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec.
	// +optional
	Defaults *RateLimitPolicyCommonSpec `json:"defaults,omitempty"`

	// Overrides define override values for this policy and for policies inheriting this policy.
	// Overrides are mutually exclusive with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec.
	// +optional
	Overrides *RateLimitPolicyCommonSpec `json:"overrides,omitempty"`

	// RateLimitPolicyCommonSpec defines implicit default values for this policy and for policies inheriting this policy.
	// RateLimitPolicyCommonSpec is mutually exclusive with explicit defaults defined by Defaults.
	RateLimitPolicyCommonSpec `json:""`
}

RateLimitPolicySpec defines the desired state of RateLimitPolicy +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.limits) || !self.limits.exists(x, has(self.limits[x].routeSelectors))",message="route selectors not supported when targeting a Gateway" +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && has(self.limits))",message="Implicit and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && has(self.overrides))",message="Overrides and explicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.limits))",message="Overrides and implicit defaults are mutually exclusive" +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && self.targetRef.kind != 'Gateway')",message="Overrides are only allowed for policies targeting a Gateway resource"

func (*RateLimitPolicySpec) CommonSpec added in v0.7.0 

func (r *RateLimitPolicySpec) CommonSpec() *RateLimitPolicyCommonSpec

CommonSpec returns the Default RateLimitPolicyCommonSpec if it is defined. Otherwise, it returns the RateLimitPolicyCommonSpec from the spec. This function should be used instead of accessing the fields directly, so that either the explicit or implicit default is returned.

func (*RateLimitPolicySpec) DeepCopy 

func (in *RateLimitPolicySpec) DeepCopy() *RateLimitPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicySpec.

func (*RateLimitPolicySpec) DeepCopyInto 

func (in *RateLimitPolicySpec) DeepCopyInto(out *RateLimitPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimitPolicyStatus 

type RateLimitPolicyStatus struct {
	// ObservedGeneration reflects the generation of the most recently observed spec.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Represents the observations of a foo's current state.
	// Known .status.conditions.type are: "Available"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
}

RateLimitPolicyStatus defines the observed state of RateLimitPolicy

func (*RateLimitPolicyStatus) DeepCopy 

func (in *RateLimitPolicyStatus) DeepCopy() *RateLimitPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitPolicyStatus.

func (*RateLimitPolicyStatus) DeepCopyInto 

func (in *RateLimitPolicyStatus) DeepCopyInto(out *RateLimitPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RateLimitPolicyStatus) Equals 

func (s *RateLimitPolicyStatus) Equals(other *RateLimitPolicyStatus, logger logr.Logger) bool

func (*RateLimitPolicyStatus) GetConditions added in v0.7.0 

func (s *RateLimitPolicyStatus) GetConditions() []metav1.Condition

type ResponseSpec 

type ResponseSpec struct {
	// Customizations on the denial status attributes when the request is unauthenticated.
	// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config.
	// Default: 401 Unauthorized
	// +optional
	Unauthenticated *authorinoapi.DenyWithSpec `json:"unauthenticated,omitempty"`

	// Customizations on the denial status attributes when the request is unauthorized.
	// For integration of Authorino via proxy, the proxy must honour the response status attributes specified in this config.
	// Default: 403 Forbidden
	// +optional
	Unauthorized *authorinoapi.DenyWithSpec `json:"unauthorized,omitempty"`

	// Response items to be included in the auth response when the request is authenticated and authorized.
	// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request.
	// +optional
	Success WrappedSuccessResponseSpec `json:"success,omitempty"`
}

func (*ResponseSpec) DeepCopy 

func (in *ResponseSpec) DeepCopy() *ResponseSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseSpec.

func (*ResponseSpec) DeepCopyInto 

func (in *ResponseSpec) DeepCopyInto(out *ResponseSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RouteSelector 

type RouteSelector struct {
	// Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request
	// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
	// +optional
	Hostnames []gatewayapiv1.Hostname `json:"hostnames,omitempty"`

	// Matches define conditions used for matching the rule against incoming HTTP requests.
	// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
	// +optional
	// +kubebuilder:validation:MaxItems=8
	Matches []gatewayapiv1.HTTPRouteMatch `json:"matches,omitempty"`
}

RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec

func (*RouteSelector) DeepCopy 

func (in *RouteSelector) DeepCopy() *RouteSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteSelector.

func (*RouteSelector) DeepCopyInto 

func (in *RouteSelector) DeepCopyInto(out *RouteSelector)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RouteSelector) HostnamesForConditions 

func (s *RouteSelector) HostnamesForConditions(route *gatewayapiv1.HTTPRoute) []gatewayapiv1.Hostname

HostnamesForConditions allows avoiding building conditions for hostnames that are excluded by the selector or when the hostname is irrelevant (i.e. matches all hostnames)

func (*RouteSelector) SelectRules 

func (s *RouteSelector) SelectRules(route *gatewayapiv1.HTTPRoute) (rules []gatewayapiv1.HTTPRouteRule)

SelectRules returns, from a HTTPRoute, all HTTPRouteRules that either specify no HTTRouteMatches or that contain at least one HTTRouteMatch whose statements expressly include (partially or totally) the statements of at least one of the matches of the selector. If the selector does not specify any matches, then all HTTPRouteRules are selected.

Additionally, if the selector specifies a non-empty list of hostnames, a non-empty intersection between the literal hostnames of the selector and set of hostnames specified in the HTTPRoute must exist. Otherwise, the function returns nil.

type RouteSelectorsGetter 

type RouteSelectorsGetter interface {
	GetRouteSelectors() []RouteSelector
}

+kubebuilder:object:generate=false

type SuccessResponseSpec 

type SuccessResponseSpec struct {
	authorinoapi.SuccessResponseSpec `json:""`
	CommonAuthRuleSpec               `json:""`
}

func (*SuccessResponseSpec) DeepCopy 

func (in *SuccessResponseSpec) DeepCopy() *SuccessResponseSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SuccessResponseSpec.

func (*SuccessResponseSpec) DeepCopyInto 

func (in *SuccessResponseSpec) DeepCopyInto(out *SuccessResponseSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TimeUnit 

type TimeUnit string

+kubebuilder:validation:Enum:=second;minute;hour;day

type WhenCondition 

type WhenCondition struct {
	// Selector defines one item from the well known selectors
	// TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors
	Selector ContextSelector `json:"selector"`

	// The binary operator to be applied to the content fetched from the selector
	// Possible values are: "eq" (equal to), "neq" (not equal to)
	Operator WhenConditionOperator `json:"operator"`

	// The value of reference for the comparison.
	Value string `json:"value"`
}

RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec

func (*WhenCondition) DeepCopy 

func (in *WhenCondition) DeepCopy() *WhenCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhenCondition.

func (*WhenCondition) DeepCopyInto 

func (in *WhenCondition) DeepCopyInto(out *WhenCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WhenConditionOperator 

type WhenConditionOperator string

+kubebuilder:validation:Enum:=eq;neq;startswith;endswith;incl;excl;matches 

const (
	EqualOperator      WhenConditionOperator = "eq"
	NotEqualOperator   WhenConditionOperator = "neq"
	StartsWithOperator WhenConditionOperator = "startswith"
	EndsWithOperator   WhenConditionOperator = "endswith"
	IncludeOperator    WhenConditionOperator = "incl"
	ExcludeOperator    WhenConditionOperator = "excl"
	MatchesOperator    WhenConditionOperator = "matches"

	RateLimitPolicyBackReferenceAnnotationName   = "kuadrant.io/ratelimitpolicies"
	RateLimitPolicyDirectReferenceAnnotationName = "kuadrant.io/ratelimitpolicy"
)

type WrappedSuccessResponseSpec 

type WrappedSuccessResponseSpec struct {
	// Custom success response items wrapped as HTTP headers.
	// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request.
	// +kubebuilder:validation:MaxProperties=10
	Headers map[string]HeaderSuccessResponseSpec `json:"headers,omitempty"`

	// Custom success response items wrapped as HTTP headers.
	// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata.
	// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata
	// +kubebuilder:validation:MaxProperties=10
	DynamicMetadata map[string]SuccessResponseSpec `json:"dynamicMetadata,omitempty"`
}

func (*WrappedSuccessResponseSpec) DeepCopy 

func (in *WrappedSuccessResponseSpec) DeepCopy() *WrappedSuccessResponseSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WrappedSuccessResponseSpec.

func (*WrappedSuccessResponseSpec) DeepCopyInto 

func (in *WrappedSuccessResponseSpec) DeepCopyInto(out *WrappedSuccessResponseSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.