[go: up one dir, main page]

v1alpha3

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2025 License: Apache-2.0 Imports: 5 Imported by: 26

Documentation

Overview

Package v1alpha3 contains API Schema definitions for the gateway.networking.k8s.io API group.

+k8s:openapi-gen=true +kubebuilder:object:generate=true +groupName=gateway.networking.k8s.io

Index

Constants

View Source 
const GroupName = "gateway.networking.k8s.io"

GroupName specifies the group name used to register the objects.

Variables

View Source 
var (
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	// Deprecated: use Install instead
	AddToScheme = localSchemeBuilder.AddToScheme
	Install     = localSchemeBuilder.AddToScheme
)
View Source 
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha3"}

GroupVersion specifies the group and the version used to register the objects.

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha3"}

SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type BackendTLSPolicy 

type BackendTLSPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec defines the desired state of BackendTLSPolicy.
	Spec BackendTLSPolicySpec `json:"spec"`

	// Status defines the current state of BackendTLSPolicy.
	Status v1alpha2.PolicyStatus `json:"status,omitempty"`
}

BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.

func (*BackendTLSPolicy) DeepCopy 

func (in *BackendTLSPolicy) DeepCopy() *BackendTLSPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicy.

func (*BackendTLSPolicy) DeepCopyInto 

func (in *BackendTLSPolicy) DeepCopyInto(out *BackendTLSPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*BackendTLSPolicy) DeepCopyObject 

func (in *BackendTLSPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type BackendTLSPolicyList 

type BackendTLSPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []BackendTLSPolicy `json:"items"`
}

BackendTLSPolicyList contains a list of BackendTLSPolicies +kubebuilder:object:root=true

func (*BackendTLSPolicyList) DeepCopy 

func (in *BackendTLSPolicyList) DeepCopy() *BackendTLSPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicyList.

func (*BackendTLSPolicyList) DeepCopyInto 

func (in *BackendTLSPolicyList) DeepCopyInto(out *BackendTLSPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*BackendTLSPolicyList) DeepCopyObject 

func (in *BackendTLSPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type BackendTLSPolicySpec 

type BackendTLSPolicySpec struct {
	// TargetRefs identifies an API object to apply the policy to.
	// Only Services have Extended support. Implementations MAY support
	// additional objects, with Implementation Specific support.
	// Note that this config applies to the entire referenced resource
	// by default, but this default may change in the future to provide
	// a more granular application of the policy.
	//
	// TargetRefs must be _distinct_. This means either that:
	//
	// * They select different targets. If this is the case, then targetRef
	//   entries are distinct. In terms of fields, this means that the
	//   multi-part key defined by `group`, `kind`, and `name` must
	//   be unique across all targetRef entries in the BackendTLSPolicy.
	// * They select different sectionNames in the same target.
	//
	// Support: Extended for Kubernetes Service
	//
	// Support: Implementation-specific for any other resource
	//
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=16
	// +kubebuilder:validation:XValidation:message="sectionName must be specified when targetRefs includes 2 or more references to the same target",rule="self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == ”) == (!has(p2.sectionName) || p2.sectionName == ”)) : true))"
	// +kubebuilder:validation:XValidation:message="sectionName must be unique when targetRefs includes 2 or more references to the same target",rule="self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == ”) && (!has(p2.sectionName) || p2.sectionName == ”)) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))"
	TargetRefs []v1alpha2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`

	// Validation contains backend TLS validation configuration.
	Validation BackendTLSPolicyValidation `json:"validation"`

	// Options are a list of key/value pairs to enable extended TLS
	// configuration for each implementation. For example, configuring the
	// minimum TLS version or supported cipher suites.
	//
	// A set of common keys MAY be defined by the API in the future. To avoid
	// any ambiguity, implementation-specific definitions MUST use
	// domain-prefixed names, such as `example.com/my-custom-option`.
	// Un-prefixed names are reserved for key names defined by Gateway API.
	//
	// Support: Implementation-specific
	//
	// +optional
	// +kubebuilder:validation:MaxProperties=16
	Options map[v1.AnnotationKey]v1.AnnotationValue `json:"options,omitempty"`
}

BackendTLSPolicySpec defines the desired state of BackendTLSPolicy.

Support: Extended

func (*BackendTLSPolicySpec) DeepCopy 

func (in *BackendTLSPolicySpec) DeepCopy() *BackendTLSPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicySpec.

func (*BackendTLSPolicySpec) DeepCopyInto 

func (in *BackendTLSPolicySpec) DeepCopyInto(out *BackendTLSPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type BackendTLSPolicyValidation 

type BackendTLSPolicyValidation struct {
	// CACertificateRefs contains one or more references to Kubernetes objects that
	// contain a PEM-encoded TLS CA certificate bundle, which is used to
	// validate a TLS handshake between the Gateway and backend Pod.
	//
	// If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
	// specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
	// not both. If CACertificateRefs is empty or unspecified, the configuration for
	// WellKnownCACertificates MUST be honored instead if supported by the implementation.
	//
	// References to a resource in a different namespace are invalid for the
	// moment, although we will revisit this in the future.
	//
	// A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
	// Implementations MAY choose to support attaching multiple certificates to
	// a backend, but this behavior is implementation-specific.
	//
	// Support: Core - An optional single reference to a Kubernetes ConfigMap,
	// with the CA certificate in a key named `ca.crt`.
	//
	// Support: Implementation-specific (More than one reference, or other kinds
	// of resources).
	//
	// +kubebuilder:validation:MaxItems=8
	// +optional
	CACertificateRefs []v1.LocalObjectReference `json:"caCertificateRefs,omitempty"`

	// WellKnownCACertificates specifies whether system CA certificates may be used in
	// the TLS handshake between the gateway and backend pod.
	//
	// If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
	// must be specified with at least one entry for a valid configuration. Only one of
	// CACertificateRefs or WellKnownCACertificates may be specified, not both. If an
	// implementation does not support the WellKnownCACertificates field or the value
	// supplied is not supported, the Status Conditions on the Policy MUST be
	// updated to include an Accepted: False Condition with Reason: Invalid.
	//
	// Support: Implementation-specific
	//
	// +optional
	WellKnownCACertificates *WellKnownCACertificatesType `json:"wellKnownCACertificates,omitempty"`

	// Hostname is used for two purposes in the connection between Gateways and
	// backends:
	//
	// 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
	// 2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified.
	//    authentication and MUST match the certificate served by the matching
	//    backend.
	//
	// Support: Core
	Hostname v1.PreciseHostname `json:"hostname"`

	// SubjectAltNames contains one or more Subject Alternative Names.
	// When specified the certificate served from the backend MUST
	// have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
	//
	// Support: Extended
	//
	// +optional
	// +kubebuilder:validation:MaxItems=5
	SubjectAltNames []SubjectAltName `json:"subjectAltNames,omitempty"`
}

BackendTLSPolicyValidation contains backend TLS validation configuration. +kubebuilder:validation:XValidation:message="must not contain both CACertificateRefs and WellKnownCACertificates",rule="!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")" +kubebuilder:validation:XValidation:message="must specify either CACertificateRefs or WellKnownCACertificates",rule="(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"

func (*BackendTLSPolicyValidation) DeepCopy 

func (in *BackendTLSPolicyValidation) DeepCopy() *BackendTLSPolicyValidation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTLSPolicyValidation.

func (*BackendTLSPolicyValidation) DeepCopyInto 

func (in *BackendTLSPolicyValidation) DeepCopyInto(out *BackendTLSPolicyValidation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SubjectAltName added in v1.2.0 

type SubjectAltName struct {
	// Type determines the format of the Subject Alternative Name. Always required.
	//
	// Support: Core
	Type SubjectAltNameType `json:"type"`

	// Hostname contains Subject Alternative Name specified in DNS name format.
	// Required when Type is set to Hostname, ignored otherwise.
	//
	// Support: Core
	//
	// +optional
	Hostname v1.Hostname `json:"hostname,omitempty"`

	// URI contains Subject Alternative Name specified in a full URI format.
	// It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
	// Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
	// Required when Type is set to URI, ignored otherwise.
	//
	// Support: Core
	//
	// +optional
	URI v1.AbsoluteURI `json:"uri,omitempty"`
}

SubjectAltName represents Subject Alternative Name. +kubebuilder:validation:XValidation:message="SubjectAltName element must contain Hostname, if Type is set to Hostname",rule="!(self.type == \"Hostname\" && (!has(self.hostname) || self.hostname == \"\"))" +kubebuilder:validation:XValidation:message="SubjectAltName element must not contain Hostname, if Type is not set to Hostname",rule="!(self.type != \"Hostname\" && has(self.hostname) && self.hostname != \"\")" +kubebuilder:validation:XValidation:message="SubjectAltName element must contain URI, if Type is set to URI",rule="!(self.type == \"URI\" && (!has(self.uri) || self.uri == \"\"))" +kubebuilder:validation:XValidation:message="SubjectAltName element must not contain URI, if Type is not set to URI",rule="!(self.type != \"URI\" && has(self.uri) && self.uri != \"\")"

func (*SubjectAltName) DeepCopy added in v1.2.0 

func (in *SubjectAltName) DeepCopy() *SubjectAltName

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAltName.

func (*SubjectAltName) DeepCopyInto added in v1.2.0 

func (in *SubjectAltName) DeepCopyInto(out *SubjectAltName)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SubjectAltNameType added in v1.2.0 

type SubjectAltNameType string

SubjectAltNameType is the type of the Subject Alternative Name. +kubebuilder:validation:Enum=Hostname;URI 

const (
	// HostnameSubjectAltNameType specifies hostname-based SAN.
	//
	// Support: Core
	HostnameSubjectAltNameType SubjectAltNameType = "Hostname"

	// URISubjectAltNameType specifies URI-based SAN, e.g. SPIFFE id.
	//
	// Support: Core
	URISubjectAltNameType SubjectAltNameType = "URI"
)

type WellKnownCACertificatesType 

type WellKnownCACertificatesType string

WellKnownCACertificatesType is the type of CA certificate that will be used when the caCertificateRefs field is unspecified. +kubebuilder:validation:Enum=System 

const (
	// WellKnownCACertificatesSystem indicates that well known system CA certificates should be used.
	WellKnownCACertificatesSystem WellKnownCACertificatesType = "System"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.